You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@lucene.apache.org by rm...@apache.org on 2019/12/14 07:01:53 UTC
[lucene-solr] 01/01: SOLR-13984: add (experimental,
disabled by default) security manager support.
This is an automated email from the ASF dual-hosted git repository.
rmuir pushed a commit to branch jira/SOLR-13984
in repository https://gitbox.apache.org/repos/asf/lucene-solr.git
commit 0deefcbd3148caa2e4e64f1c442a34a822b49c3d
Author: Robert Muir <rm...@apache.org>
AuthorDate: Sat Dec 14 01:58:01 2019 -0500
SOLR-13984: add (experimental, disabled by default) security manager support.
*nix only at the moment (no .cmd changes yet)
The current policy file used by tests is moved to solr/server
Additional permissions are granted for the filesystem locations set by bin/solr, and networking everywhere is enabled.
This takes advantage of the fact that permission entries are ignored if properties are not defined:
https://docs.oracle.com/javase/7/docs/technotes/guides/security/PolicyFiles.html#PropertyExp
---
solr/bin/solr | 11 ++++++-
solr/bin/solr.in.sh | 5 +++
solr/common-build.xml | 2 +-
.../server/etc/security.policy | 38 +++++++++++++++++++++-
4 files changed, 53 insertions(+), 3 deletions(-)
diff --git a/solr/bin/solr b/solr/bin/solr
index 9a5a4a2..c196850 100755
--- a/solr/bin/solr
+++ b/solr/bin/solr
@@ -2069,6 +2069,15 @@ else
REMOTE_JMX_OPTS=()
fi
+# Enable java security manager (limiting filesystem access and other things)
+if [ "$SOLR_SECURITY_MANAGER_ENABLED" == "true" ]; then
+ SECURITY_MANAGER_OPTS=('-Djava.security.manager' \
+ "-Djava.security.policy=${SOLR_SERVER_DIR}/etc/security.policy" \
+ '-Dsolr.internal.network.permission=*')
+else
+ SECURITY_MANAGER_OPTS=()
+fi
+
JAVA_MEM_OPTS=()
if [ -z "$SOLR_HEAP" ] && [ -n "$SOLR_JAVA_MEM" ]; then
JAVA_MEM_OPTS=($SOLR_JAVA_MEM)
@@ -2178,7 +2187,7 @@ function start_solr() {
"-Djetty.port=$SOLR_PORT" "-DSTOP.PORT=$stop_port" "-DSTOP.KEY=$STOP_KEY" \
"${SOLR_HOST_ARG[@]}" "-Duser.timezone=$SOLR_TIMEZONE" \
"-Djetty.home=$SOLR_SERVER_DIR" "-Dsolr.solr.home=$SOLR_HOME" "-Dsolr.data.home=$SOLR_DATA_HOME" "-Dsolr.install.dir=$SOLR_TIP" \
- "-Dsolr.default.confdir=$DEFAULT_CONFDIR" "${LOG4J_CONFIG[@]}" "${SOLR_OPTS[@]}")
+ "-Dsolr.default.confdir=$DEFAULT_CONFDIR" "${LOG4J_CONFIG[@]}" "${SOLR_OPTS[@]}" "${SECURITY_MANAGER_OPTS[@]}")
if [ "$SOLR_MODE" == "solrcloud" ]; then
IN_CLOUD_MODE=" in SolrCloud mode"
diff --git a/solr/bin/solr.in.sh b/solr/bin/solr.in.sh
index d4e6b7b..9f729d1 100644
--- a/solr/bin/solr.in.sh
+++ b/solr/bin/solr.in.sh
@@ -203,3 +203,8 @@
# a -Dsolr.environment property below. Valid values are prod, stage, test, dev, with an optional
# label or color, e.g. -Dsolr.environment=test,label=Functional+test,color=brown
#SOLR_OPTS="$SOLR_OPTS -Dsolr.environment=prod"
+
+# Runs solr in java security manager sandbox. This can protect against some attacks.
+# Runtime properties are passed to the security policy file (server/etc/security.policy)
+# This is experimental! It may not work at all with HDFS.
+#SOLR_SECURITY_MANAGER_ENABLED=false
diff --git a/solr/common-build.xml b/solr/common-build.xml
index 9b7b9d9..af2d5c8 100644
--- a/solr/common-build.xml
+++ b/solr/common-build.xml
@@ -38,7 +38,7 @@
<property name="maven.dist.dir" location="${package.dir}/maven"/>
<property name="lucene-libs" location="${dest}/lucene-libs" />
<property name="tests.userdir" location="src/test-files"/>
- <property name="tests.policy" location="${common-solr.dir}/../lucene/tools/junit4/solr-tests.policy"/>
+ <property name="tests.policy" location="${common-solr.dir}/server/etc/security.policy"/>
<property name="server.dir" location="${common-solr.dir}/server" />
<property name="example" location="${common-solr.dir}/example" />
<property name="javadoc.dir" location="${dest}/docs"/>
diff --git a/lucene/tools/junit4/solr-tests.policy b/solr/server/etc/security.policy
similarity index 79%
rename from lucene/tools/junit4/solr-tests.policy
rename to solr/server/etc/security.policy
index b178d6b..73da119 100644
--- a/lucene/tools/junit4/solr-tests.policy
+++ b/solr/server/etc/security.policy
@@ -15,8 +15,10 @@
* limitations under the License.
*/
-// Policy file for solr tests. Please keep minimal and avoid wildcards.
+// Policy file for solr. Please keep minimal and avoid wildcards.
+// permissions needed for tests to pass, based on properties set by the build system
+// NOTE: if the property is not set, the permission entry is ignored.
grant {
// contain read access to only what we need:
// 3rd party jar resources (where symlinks are not supported), test-files/ resources
@@ -163,3 +165,37 @@ grant {
// used by solr to create sandboxes (e.g. script execution)
permission java.security.SecurityPermission "createAccessControlContext";
};
+
+// additional permissions based on system properties set by /bin/solr
+// NOTE: if the property is not set, the permission entry is ignored.
+grant {
+ permission java.io.FilePermission "${hadoop.security.credential.provider.path}", "read,write,delete,readlink";
+ permission java.io.FilePermission "${hadoop.security.credential.provider.path}${/}-", "read,write,delete,readlink";
+
+ permission java.io.FilePermission "${solr.jetty.keystore}", "read,write,delete,readlink";
+ permission java.io.FilePermission "${solr.jetty.keystore}${/}-", "read,write,delete,readlink";
+
+ permission java.io.FilePermission "${solr.jetty.truststore}", "read,write,delete,readlink";
+ permission java.io.FilePermission "${solr.jetty.truststore}${/}-", "read,write,delete,readlink";
+
+ permission java.io.FilePermission "${solr.install.dir}", "read,write,delete,readlink";
+ permission java.io.FilePermission "${solr.install.dir}${/}-", "read,write,delete,readlink";
+
+ permission java.io.FilePermission "${jetty.home}", "read,write,delete,readlink";
+ permission java.io.FilePermission "${jetty.home}${/}-", "read,write,delete,readlink";
+
+ permission java.io.FilePermission "${solr.solr.home}", "read,write,delete,readlink";
+ permission java.io.FilePermission "${solr.solr.home}${/}-", "read,write,delete,readlink";
+
+ permission java.io.FilePermission "${solr.data.home}", "read,write,delete,readlink";
+ permission java.io.FilePermission "${solr.data.home}${/}-", "read,write,delete,readlink";
+
+ permission java.io.FilePermission "${solr.default.confdir}", "read,write,delete,readlink";
+ permission java.io.FilePermission "${solr.default.confdir}${/}-", "read,write,delete,readlink";
+
+ permission java.io.FilePermission "${solr.log.dir}", "read,write,delete,readlink";
+ permission java.io.FilePermission "${solr.log.dir}${/}-", "read,write,delete,readlink";
+
+ // expanded to a wildcard if set, allows all networking everywhere
+ permission java.net.SocketPermission "${solr.internal.network.permission}", "accept,listen,connect,resolve";
+};