You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@lucene.apache.org by rm...@apache.org on 2019/12/14 07:01:53 UTC

[lucene-solr] 01/01: SOLR-13984: add (experimental, disabled by default) security manager support.

This is an automated email from the ASF dual-hosted git repository.

rmuir pushed a commit to branch jira/SOLR-13984
in repository https://gitbox.apache.org/repos/asf/lucene-solr.git

commit 0deefcbd3148caa2e4e64f1c442a34a822b49c3d
Author: Robert Muir <rm...@apache.org>
AuthorDate: Sat Dec 14 01:58:01 2019 -0500

    SOLR-13984: add (experimental, disabled by default) security manager support.
    
    *nix only at the moment (no .cmd changes yet)
    
    The current policy file used by tests is moved to solr/server
    Additional permissions are granted for the filesystem locations set by bin/solr, and networking everywhere is enabled.
    
    This takes advantage of the fact that permission entries are ignored if properties are not defined:
    https://docs.oracle.com/javase/7/docs/technotes/guides/security/PolicyFiles.html#PropertyExp
---
 solr/bin/solr                                      | 11 ++++++-
 solr/bin/solr.in.sh                                |  5 +++
 solr/common-build.xml                              |  2 +-
 .../server/etc/security.policy                     | 38 +++++++++++++++++++++-
 4 files changed, 53 insertions(+), 3 deletions(-)

diff --git a/solr/bin/solr b/solr/bin/solr
index 9a5a4a2..c196850 100755
--- a/solr/bin/solr
+++ b/solr/bin/solr
@@ -2069,6 +2069,15 @@ else
   REMOTE_JMX_OPTS=()
 fi
 
+# Enable java security manager (limiting filesystem access and other things)
+if [ "$SOLR_SECURITY_MANAGER_ENABLED" == "true" ]; then
+  SECURITY_MANAGER_OPTS=('-Djava.security.manager' \
+    "-Djava.security.policy=${SOLR_SERVER_DIR}/etc/security.policy" \
+    '-Dsolr.internal.network.permission=*')
+else
+  SECURITY_MANAGER_OPTS=()
+fi
+
 JAVA_MEM_OPTS=()
 if [ -z "$SOLR_HEAP" ] && [ -n "$SOLR_JAVA_MEM" ]; then
   JAVA_MEM_OPTS=($SOLR_JAVA_MEM)
@@ -2178,7 +2187,7 @@ function start_solr() {
     "-Djetty.port=$SOLR_PORT" "-DSTOP.PORT=$stop_port" "-DSTOP.KEY=$STOP_KEY" \
     "${SOLR_HOST_ARG[@]}" "-Duser.timezone=$SOLR_TIMEZONE" \
     "-Djetty.home=$SOLR_SERVER_DIR" "-Dsolr.solr.home=$SOLR_HOME" "-Dsolr.data.home=$SOLR_DATA_HOME" "-Dsolr.install.dir=$SOLR_TIP" \
-    "-Dsolr.default.confdir=$DEFAULT_CONFDIR" "${LOG4J_CONFIG[@]}" "${SOLR_OPTS[@]}")
+    "-Dsolr.default.confdir=$DEFAULT_CONFDIR" "${LOG4J_CONFIG[@]}" "${SOLR_OPTS[@]}" "${SECURITY_MANAGER_OPTS[@]}")
 
   if [ "$SOLR_MODE" == "solrcloud" ]; then
     IN_CLOUD_MODE=" in SolrCloud mode"
diff --git a/solr/bin/solr.in.sh b/solr/bin/solr.in.sh
index d4e6b7b..9f729d1 100644
--- a/solr/bin/solr.in.sh
+++ b/solr/bin/solr.in.sh
@@ -203,3 +203,8 @@
 # a -Dsolr.environment property below. Valid values are prod, stage, test, dev, with an optional
 # label or color, e.g. -Dsolr.environment=test,label=Functional+test,color=brown
 #SOLR_OPTS="$SOLR_OPTS -Dsolr.environment=prod"
+
+# Runs solr in java security manager sandbox. This can protect against some attacks.
+# Runtime properties are passed to the security policy file (server/etc/security.policy)
+# This is experimental! It may not work at all with HDFS.
+#SOLR_SECURITY_MANAGER_ENABLED=false
diff --git a/solr/common-build.xml b/solr/common-build.xml
index 9b7b9d9..af2d5c8 100644
--- a/solr/common-build.xml
+++ b/solr/common-build.xml
@@ -38,7 +38,7 @@
   <property name="maven.dist.dir" location="${package.dir}/maven"/>
   <property name="lucene-libs" location="${dest}/lucene-libs" />
   <property name="tests.userdir" location="src/test-files"/>
-  <property name="tests.policy" location="${common-solr.dir}/../lucene/tools/junit4/solr-tests.policy"/>
+  <property name="tests.policy" location="${common-solr.dir}/server/etc/security.policy"/>
   <property name="server.dir" location="${common-solr.dir}/server" />
   <property name="example" location="${common-solr.dir}/example" />
   <property name="javadoc.dir" location="${dest}/docs"/>
diff --git a/lucene/tools/junit4/solr-tests.policy b/solr/server/etc/security.policy
similarity index 79%
rename from lucene/tools/junit4/solr-tests.policy
rename to solr/server/etc/security.policy
index b178d6b..73da119 100644
--- a/lucene/tools/junit4/solr-tests.policy
+++ b/solr/server/etc/security.policy
@@ -15,8 +15,10 @@
  * limitations under the License.
  */
 
-// Policy file for solr tests. Please keep minimal and avoid wildcards.
+// Policy file for solr. Please keep minimal and avoid wildcards.
 
+// permissions needed for tests to pass, based on properties set by the build system
+// NOTE: if the property is not set, the permission entry is ignored.
 grant {
   // contain read access to only what we need:
   // 3rd party jar resources (where symlinks are not supported), test-files/ resources
@@ -163,3 +165,37 @@ grant {
   // used by solr to create sandboxes (e.g. script execution)
   permission java.security.SecurityPermission "createAccessControlContext";
 };
+
+// additional permissions based on system properties set by /bin/solr
+// NOTE: if the property is not set, the permission entry is ignored.
+grant {
+  permission java.io.FilePermission "${hadoop.security.credential.provider.path}", "read,write,delete,readlink";
+  permission java.io.FilePermission "${hadoop.security.credential.provider.path}${/}-", "read,write,delete,readlink";
+
+  permission java.io.FilePermission "${solr.jetty.keystore}", "read,write,delete,readlink";
+  permission java.io.FilePermission "${solr.jetty.keystore}${/}-", "read,write,delete,readlink";
+
+  permission java.io.FilePermission "${solr.jetty.truststore}", "read,write,delete,readlink";
+  permission java.io.FilePermission "${solr.jetty.truststore}${/}-", "read,write,delete,readlink";
+
+  permission java.io.FilePermission "${solr.install.dir}", "read,write,delete,readlink";
+  permission java.io.FilePermission "${solr.install.dir}${/}-", "read,write,delete,readlink";
+
+  permission java.io.FilePermission "${jetty.home}", "read,write,delete,readlink";
+  permission java.io.FilePermission "${jetty.home}${/}-", "read,write,delete,readlink";
+
+  permission java.io.FilePermission "${solr.solr.home}", "read,write,delete,readlink";
+  permission java.io.FilePermission "${solr.solr.home}${/}-", "read,write,delete,readlink";
+
+  permission java.io.FilePermission "${solr.data.home}", "read,write,delete,readlink";
+  permission java.io.FilePermission "${solr.data.home}${/}-", "read,write,delete,readlink";
+
+  permission java.io.FilePermission "${solr.default.confdir}", "read,write,delete,readlink";
+  permission java.io.FilePermission "${solr.default.confdir}${/}-", "read,write,delete,readlink";
+
+  permission java.io.FilePermission "${solr.log.dir}", "read,write,delete,readlink";
+  permission java.io.FilePermission "${solr.log.dir}${/}-", "read,write,delete,readlink";
+
+  // expanded to a wildcard if set, allows all networking everywhere
+  permission java.net.SocketPermission "${solr.internal.network.permission}", "accept,listen,connect,resolve";
+};