You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@solr.apache.org by "Babiel (Jira)" <ji...@apache.org> on 2023/07/27 07:42:00 UTC

[jira] [Comment Edited] (SOLR-16905) Java Security Manager rules don't inclue "solr.allowPaths" property

    [ https://issues.apache.org/jira/browse/SOLR-16905?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17747817#comment-17747817 ] 

Babiel edited comment on SOLR-16905 at 7/27/23 7:41 AM:
--------------------------------------------------------

[~krisden] 
{quote}have you tried adding the suggested solr.allowPaths lines to security.policy when you enable the security manager? Did it fix the issue?
{quote}
I just did, it works:
{code:java}
grep allowPaths /opt/solr-9.2.1/server/etc/security.policy
  permission java.io.FilePermission "${solr.allowPaths}", "read,write,delete,readlink";
  permission java.io.FilePermission "${solr.allowPaths}${/}-", "read,write,delete,readlink";


ps aux | grep solr
[...]
-Djava.security.manager -Djava.security.policy=/opt/solr-9.2.1/server/etc/security.policy -Djava.security.properties=/opt/solr-9.2.1/server/etc/security.properties
[...]


curl -sk 'http://localhost:8983/solr/admin/collections?action=BACKUP&name=xxx_20230725145421&collection=xxx&location=file:///opt/backup/solr/xxx&async=20230725145421'
{
  "responseHeader":{
    "status":0,
    "QTime":11},
  "requestid":"20230725145421"}{code}
Removing entries from /opt/solr-9.2.1/server/etc/security.policy to check that it bricks
{code:java}
grep allowPaths /opt/solr-9.2.1/server/etc/security.policy


curl -sk 'http://localhost:8983/solr/admin/collections?action=BACKUP&name=xxx_20230725145422&collection=xxx&location=file:///opt/backup/solr/xxx&async=20230725145422'
{
  "responseHeader":{
    "status":500,
    "QTime":9},
  "error":{
    "msg":"access denied (\"java.io.FilePermission\" \"/opt/backup/solr/xxx\" \"read\")",{code}
It bricks without it.


was (Author: bprov):
[~krisden] 
{quote}have you tried adding the suggested solr.allowPaths lines to security.policy when you enable the security manager? Did it fix the issue?
{quote}
I just did, it works:
{code:java}
grep allowPaths /opt/solr-9.2.1/server/etc/security.policy
  permission java.io.FilePermission "${solr.allowPaths}", "read,write,delete,readlink";
  permission java.io.FilePermission "${solr.allowPaths}${/}-", "read,write,delete,readlink";


ps aux | grep solr
[...]
-Djava.security.manager -Djava.security.policy=/opt/solr-9.2.1/server/etc/security.policy -Djava.security.properties=/opt/solr-9.2.1/server/etc/security.properties
[...]


curl -sk 'http://localhost:8983/solr/admin/collections?action=BACKUP&name=xxx_20230725145421&collection=xxx&location=file:///opt/backup/solr/xxx&async=20230725145421'
{
  "responseHeader":{
    "status":0,
    "QTime":11},
  "requestid":"20230725145421"}{code}
Removing entries from /opt/solr-9.2.1/server/etc/security.policy to check that it bricks
{code:java}
grep allowPaths /opt/solr-9.2.1/server/etc/security.policy


root@s070236:~# curl -sk 'http://localhost:8983/solr/admin/collections?action=BACKUP&name=xxx_20230725145422&collection=xxx&location=file:///opt/backup/solr/xxx&async=20230725145422'
{
  "responseHeader":{
    "status":500,
    "QTime":9},
  "error":{
    "msg":"access denied (\"java.io.FilePermission\" \"/opt/backup/solr/xxx\" \"read\")",{code}
It bricks without it.

> Java Security Manager rules don't inclue "solr.allowPaths" property
> -------------------------------------------------------------------
>
>                 Key: SOLR-16905
>                 URL: https://issues.apache.org/jira/browse/SOLR-16905
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: security
>    Affects Versions: 9.2.1
>            Reporter: Babiel
>            Priority: Major
>
> Hi all,
> we've upgraded from Solr 8.11 to Solr 9.2 which bricked our Solr Backup. Since Solr 8.6 we configure solr.allowPaths, because our backup destination is outside the Solr home directory. We do this using the solr.in.sh:
> {code:java}
> SOLR_OPTS="$SOLR_OPTS -Dsolr.allowPaths=/opt/backup"{code}
> Since Solr 9 we received the following error message, when trying to create a backup
> {code:java}
> curl -sk 'http://localhost:8983/solr/admin/collections?action=BACKUP&name=xyz&collection=xyz&location=/opt/backup'
> {
>   "responseHeader":{
>     "status":500,
>     "QTime":0},
>   "error":{
>     "msg":"access denied (\"java.io.FilePermission\" \"/opt/backup\" \"read\")",
> ...{code}
> After some debugging we discovered, that since Solr 9 the Java Security Manager is enabled by default. However it doesn't have a default rule to allow access to the path which is set using the "solr.allowPaths" property:
> {code:java}
> grep allowPaths /opt/solr-9.2.1/server/etc/security.policy{code}
> We disabled the Java Security Manager for now, but our guess is, that the security policy should be expanded by
> {code:java}
>   permission java.io.FilePermission "${solr.allowPaths}", "read,write,delete,readlink";
>   permission java.io.FilePermission "${solr.allowPaths}${/}-", "read,write,delete,readlink";{code}
>  
> Cheers
> Dennis



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org