You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@lucene.apache.org by rm...@apache.org on 2019/12/02 10:37:24 UTC
[lucene-solr] branch master updated: SOLR-13986: remove execute permission from solr-tests.policy

This is an automated email from the ASF dual-hosted git repository.

rmuir pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/lucene-solr.git


The following commit(s) were added to refs/heads/master by this push:
     new 1d238c8  SOLR-13986: remove execute permission from solr-tests.policy
1d238c8 is described below

commit 1d238c844e45f088a942aec14750c186c7a66d92
Author: Robert Muir <rm...@apache.org>
AuthorDate: Mon Dec 2 05:36:29 2019 -0500

    SOLR-13986: remove execute permission from solr-tests.policy
---
 .../apache/lucene/util/TestSecurityManager.java    | 63 ++++++++++++++++++++++
 lucene/tools/junit4/solr-tests.policy              | 12 ++---
 2 files changed, 69 insertions(+), 6 deletions(-)

diff --git a/lucene/test-framework/src/java/org/apache/lucene/util/TestSecurityManager.java b/lucene/test-framework/src/java/org/apache/lucene/util/TestSecurityManager.java
index 99c6270..70539cd 100644
--- a/lucene/test-framework/src/java/org/apache/lucene/util/TestSecurityManager.java
+++ b/lucene/test-framework/src/java/org/apache/lucene/util/TestSecurityManager.java
@@ -41,6 +41,69 @@ public final class TestSecurityManager extends SecurityManager {
     super();
   }
 
+  // TODO: move this stuff into a Solr (non-test) SecurityManager!
+  /**
+   * {@inheritDoc}
+   * <p>This method implements hacks to workaround hadoop's garbage Shell and FileUtil code
+   */
+  @Override
+  public void checkExec(String cmd) {
+    // NOTE: it would be tempting to just allow anything from hadoop's Shell class, but then
+    // that would just give an easy vector for RCE (use hadoop Shell instead of e.g. ProcessBuilder)
+    // so we whitelist actual caller impl methods instead.
+    for (StackTraceElement element : Thread.currentThread().getStackTrace()) {
+      // hadoop insists on shelling out to get the user's supplementary groups?
+      if ("org.apache.hadoop.security.ShellBasedUnixGroupsMapping".equals(element.getClassName()) &&
+          "getGroups".equals(element.getMethodName())) {
+        return;
+      }
+      // hadoop insists on shelling out to parse 'df' command instead of using FileStore?
+      if ("org.apache.hadoop.fs.DF".equals(element.getClassName()) &&
+          "getFilesystem".equals(element.getMethodName())) {
+        return;
+      }
+      // hadoop insists on shelling out to parse 'du' command instead of using FileStore?
+      if ("org.apache.hadoop.fs.DU".equals(element.getClassName()) &&
+          "refresh".equals(element.getMethodName())) {
+        return;
+      }
+      // hadoop insists on shelling out to parse 'ls' command instead of java nio apis?
+      if ("org.apache.hadoop.util.DiskChecker".equals(element.getClassName()) &&
+          "checkDir".equals(element.getMethodName())) {
+        return;
+      }
+      // hadoop insists on shelling out to parse 'stat' command instead of Files.getAttributes?
+      if ("org.apache.hadoop.fs.HardLink".equals(element.getClassName()) &&
+          "getLinkCount".equals(element.getMethodName())) {
+        return;
+      }
+      // hadoop "canExecute" method doesn't handle securityexception and fails completely.
+      // so, lie to it, and tell it we will happily execute, so it does not crash.
+      if ("org.apache.hadoop.fs.FileUtil".equals(element.getClassName()) &&
+          "canExecute".equals(element.getMethodName())) {
+        return;
+      }
+    }
+    super.checkExec(cmd);
+  }
+
+  /**
+   * {@inheritDoc}
+   * <p>This method implements hacks to workaround hadoop's garbage FileUtil code
+   */
+  @Override
+  public void checkWrite(String file) {
+    for (StackTraceElement element : Thread.currentThread().getStackTrace()) {
+      // hadoop "canWrite" method doesn't handle securityexception and fails completely.
+      // so, lie to it, and tell it we will happily write, so it does not crash.
+      if ("org.apache.hadoop.fs.FileUtil".equals(element.getClassName()) &&
+          "canWrite".equals(element.getMethodName())) {
+        return;
+      }
+    }
+    super.checkWrite(file);
+  }
+
   /**
    * {@inheritDoc}
    * <p>This method inspects the stack trace and checks who is calling
diff --git a/lucene/tools/junit4/solr-tests.policy b/lucene/tools/junit4/solr-tests.policy
index 69013eb..82ed0bf 100644
--- a/lucene/tools/junit4/solr-tests.policy
+++ b/lucene/tools/junit4/solr-tests.policy
@@ -25,13 +25,13 @@
 
 grant {
   // permissions for file access, write access only to sandbox:
-  permission java.io.FilePermission "<<ALL FILES>>", "read,execute";
-  permission java.io.FilePermission "${junit4.childvm.cwd}", "read,execute";
-  permission java.io.FilePermission "${junit4.childvm.cwd}${/}temp", "read,execute,write,delete";
-  permission java.io.FilePermission "${junit4.childvm.cwd}${/}temp${/}-", "read,execute,write,delete";
+  permission java.io.FilePermission "<<ALL FILES>>", "read";
+  permission java.io.FilePermission "${junit4.childvm.cwd}", "read";
+  permission java.io.FilePermission "${junit4.childvm.cwd}${/}temp", "read,write,delete";
+  permission java.io.FilePermission "${junit4.childvm.cwd}${/}temp${/}-", "read,write,delete";
   permission java.io.FilePermission "${junit4.childvm.cwd}${/}jacoco.db", "write";
-  permission java.io.FilePermission "${junit4.tempDir}${/}*", "read,execute,write,delete";
-  permission java.io.FilePermission "${clover.db.dir}${/}-", "read,execute,write,delete";
+  permission java.io.FilePermission "${junit4.tempDir}${/}*", "read,write,delete";
+  permission java.io.FilePermission "${clover.db.dir}${/}-", "read,write,delete";
   permission java.io.FilePermission "${tests.linedocsfile}", "read";
   permission java.nio.file.LinkPermission "hard";