You are viewing a plain text version of this content. The canonical link for it is here.
Posted to server-dev@james.apache.org by "Guillermo Grandes (JIRA)" <se...@james.apache.org> on 2006/09/23 19:03:24 UTC
[jira] Commented: (JAMES-636) Policy in environment.xml is...
ignored?!?
[ http://issues.apache.org/jira/browse/JAMES-636?page=comments#action_12437124 ]
Guillermo Grandes commented on JAMES-636:
-----------------------------------------
Well, my phoenix.sh is a little diferent... i don't have any goto ;-) but yes, i'm using security manager, my running command line is:
/usr/java/java15/bin/java
-Dprogram.name=JAMES1 -Xms128m -Xmx256m
-Djava.ext.dirs=/opt/james/lib:/opt/james/tools/lib
! -Djava.security.manager
! -Djava.security.policy=jar:file:/opt/james/bin/phoenix-loader.jar!/META-INF/java.policy
-Dphoenix.home=/opt/james
-Djava.io.tmpdir=/opt/james/temp
-jar /opt/james/bin/phoenix-loader.jar
The modified cvs-migration-snapshot code of Phoenix (I'm watching it the night of yesterday), seems to quite different from kickjava.com, this is the last version 4.2?, until now I am guiding by pages like this (and docjar.com, MacGyver style) (which to me becomes difficult to work) :-(
Many thanks for the info! :-)
Stefano Says:
Hi Guillermo,
I don't know/don't have time currently to look at what happened, but we could try fix things in Phoenix.
As you can read in the JAMES_PHOENIX.txt file in the root of our source tree we're currently using a modified build of
https://svn.apache.org/repos/asf/avalon/cvs-migration-snapshot/avalon-phoenix/
Have you set $PHOENIX_SECURE to true before starting phoenix? I see the following things in the run scripts:
---
if [ "$PHOENIX_SECURE" != "false" ] ; then
# Make phoenix run with security manager enabled
JVM_OPTS="$JVM_OPTS -Djava.security.manager"
fi
---
if "%PHOENIX_SECURE%" == "false" goto postSecure
rem Make Phoenix run with security Manager enabled
set PHOENIX_SM="-Djava.security.manager"
:postSecure
---
Maybe this has nothing to do with your problem, but is the only information I can give to you.
I think that Loom is not an option to James because it is simply a branch of Phoenix and it also is no more developed.
In the future (far future) we could switch to plexus (the maven container, that is getting more interest and is supporting also avalon components) or to felix, but I think we should try to fix the security in phoenix if we find "where" to put our hands.
Stefano
> Policy in environment.xml is... ignored?!?
> ------------------------------------------
>
> Key: JAMES-636
> URL: http://issues.apache.org/jira/browse/JAMES-636
> Project: James
> Issue Type: Bug
> Affects Versions: Trunk, 2.3.0rc3
> Environment: James 2.3.0rc3 / 3.0
> Reporter: Guillermo Grandes
> Attachments: james.policy
>
>
> I have been testing to securize James, have seen that there was the option to add to policies in the file environment.xml, but in version 2.3 and 3.0 it does not work, I suppose that it will have to do with the migration that became to Phoenix 4.2 from 4.0.1, seems simply that, ignores them quiet and it treats it like a AllPermission, stranger.
> In James 2.2 if no policy is configured, phoenix.log says:
> [Phoenix.] (): No policy specified in server.xml, giving full permissions to ServerApplication.
> In 2.3 / 3.0 no message show...
> I haves used a policy Like this, and... never throws security exceptions...
> <policy>
> <grant code-base="file:${app.home}${/}lib${/}*">
> <permission class="java.io.FilePermission"
> target="${app.home}${/}*"
> action="read,write" />
> </grant>
> </policy>
> I have even proven to make a FileInputStream of /etc/passwd and... has eaten it, not security exception :(
> In Loom 1.0-rc3 is the same, policy is ignored...
> At the moment the workarround is modifying directly the policy of phoenix-loader.jar and restrict it at global level of the JVM.
> I have opened a ticket in Codehaus for Loom 1.0rc3, in the case of Phoenix... "two stones" :-)
> See also: http://jira.codehaus.org/browse/LOOM-81
> I inform, in case somebody can make some thing.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org
Re: [jira] Commented: (JAMES-636) Policy in environment.xml is...
ignored?!?
Posted by Stefano Bagnara <ap...@bago.org>.
Guillermo Grandes (JIRA) wrote:
> [ http://issues.apache.org/jira/browse/JAMES-636?page=comments#action_12437124 ]
>
> Guillermo Grandes commented on JAMES-636:
> -----------------------------------------
>
> Well, my phoenix.sh is a little diferent... i don't have any goto ;-) but yes, i'm using security manager, my running command line is:
I pasted both the snippet from the windows file and the one from the
unix file. goto was only in the windows file, of course.
> /usr/java/java15/bin/java
> -Dprogram.name=JAMES1 -Xms128m -Xmx256m
> -Djava.ext.dirs=/opt/james/lib:/opt/james/tools/lib
> ! -Djava.security.manager
> ! -Djava.security.policy=jar:file:/opt/james/bin/phoenix-loader.jar!/META-INF/java.policy
> -Dphoenix.home=/opt/james
> -Djava.io.tmpdir=/opt/james/temp
> -jar /opt/james/bin/phoenix-loader.jar
>
> The modified cvs-migration-snapshot code of Phoenix (I'm watching it the night of yesterday), seems to quite different from kickjava.com, this is the last version 4.2?, until now I am guiding by pages like this (and docjar.com, MacGyver style) (which to me becomes difficult to work) :-(
There is no official 4.2 release for phoenix. We are using the latest
trunk with few updates (read the JAMES_PHOENIX.txt file for more
informations).
Stefano
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org