You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@lucene.apache.org by rm...@apache.org on 2019/12/02 10:59:06 UTC
[lucene-solr] branch branch_8x updated: SOLR-13986: remove execute
permission from solr-tests.policy
This is an automated email from the ASF dual-hosted git repository.
rmuir pushed a commit to branch branch_8x
in repository https://gitbox.apache.org/repos/asf/lucene-solr.git
The following commit(s) were added to refs/heads/branch_8x by this push:
new 3de517b SOLR-13986: remove execute permission from solr-tests.policy
3de517b is described below
commit 3de517b2869d0d7664dbe1b55f6f803091c92bff
Author: Robert Muir <rm...@apache.org>
AuthorDate: Mon Dec 2 05:36:29 2019 -0500
SOLR-13986: remove execute permission from solr-tests.policy
---
.../apache/lucene/util/TestSecurityManager.java | 63 ++++++++++++++++++++++
lucene/tools/junit4/solr-tests.policy | 12 ++---
2 files changed, 69 insertions(+), 6 deletions(-)
diff --git a/lucene/test-framework/src/java/org/apache/lucene/util/TestSecurityManager.java b/lucene/test-framework/src/java/org/apache/lucene/util/TestSecurityManager.java
index 99c6270..70539cd 100644
--- a/lucene/test-framework/src/java/org/apache/lucene/util/TestSecurityManager.java
+++ b/lucene/test-framework/src/java/org/apache/lucene/util/TestSecurityManager.java
@@ -41,6 +41,69 @@ public final class TestSecurityManager extends SecurityManager {
super();
}
+ // TODO: move this stuff into a Solr (non-test) SecurityManager!
+ /**
+ * {@inheritDoc}
+ * <p>This method implements hacks to workaround hadoop's garbage Shell and FileUtil code
+ */
+ @Override
+ public void checkExec(String cmd) {
+ // NOTE: it would be tempting to just allow anything from hadoop's Shell class, but then
+ // that would just give an easy vector for RCE (use hadoop Shell instead of e.g. ProcessBuilder)
+ // so we whitelist actual caller impl methods instead.
+ for (StackTraceElement element : Thread.currentThread().getStackTrace()) {
+ // hadoop insists on shelling out to get the user's supplementary groups?
+ if ("org.apache.hadoop.security.ShellBasedUnixGroupsMapping".equals(element.getClassName()) &&
+ "getGroups".equals(element.getMethodName())) {
+ return;
+ }
+ // hadoop insists on shelling out to parse 'df' command instead of using FileStore?
+ if ("org.apache.hadoop.fs.DF".equals(element.getClassName()) &&
+ "getFilesystem".equals(element.getMethodName())) {
+ return;
+ }
+ // hadoop insists on shelling out to parse 'du' command instead of using FileStore?
+ if ("org.apache.hadoop.fs.DU".equals(element.getClassName()) &&
+ "refresh".equals(element.getMethodName())) {
+ return;
+ }
+ // hadoop insists on shelling out to parse 'ls' command instead of java nio apis?
+ if ("org.apache.hadoop.util.DiskChecker".equals(element.getClassName()) &&
+ "checkDir".equals(element.getMethodName())) {
+ return;
+ }
+ // hadoop insists on shelling out to parse 'stat' command instead of Files.getAttributes?
+ if ("org.apache.hadoop.fs.HardLink".equals(element.getClassName()) &&
+ "getLinkCount".equals(element.getMethodName())) {
+ return;
+ }
+ // hadoop "canExecute" method doesn't handle securityexception and fails completely.
+ // so, lie to it, and tell it we will happily execute, so it does not crash.
+ if ("org.apache.hadoop.fs.FileUtil".equals(element.getClassName()) &&
+ "canExecute".equals(element.getMethodName())) {
+ return;
+ }
+ }
+ super.checkExec(cmd);
+ }
+
+ /**
+ * {@inheritDoc}
+ * <p>This method implements hacks to workaround hadoop's garbage FileUtil code
+ */
+ @Override
+ public void checkWrite(String file) {
+ for (StackTraceElement element : Thread.currentThread().getStackTrace()) {
+ // hadoop "canWrite" method doesn't handle securityexception and fails completely.
+ // so, lie to it, and tell it we will happily write, so it does not crash.
+ if ("org.apache.hadoop.fs.FileUtil".equals(element.getClassName()) &&
+ "canWrite".equals(element.getMethodName())) {
+ return;
+ }
+ }
+ super.checkWrite(file);
+ }
+
/**
* {@inheritDoc}
* <p>This method inspects the stack trace and checks who is calling
diff --git a/lucene/tools/junit4/solr-tests.policy b/lucene/tools/junit4/solr-tests.policy
index 69013eb..82ed0bf 100644
--- a/lucene/tools/junit4/solr-tests.policy
+++ b/lucene/tools/junit4/solr-tests.policy
@@ -25,13 +25,13 @@
grant {
// permissions for file access, write access only to sandbox:
- permission java.io.FilePermission "<<ALL FILES>>", "read,execute";
- permission java.io.FilePermission "${junit4.childvm.cwd}", "read,execute";
- permission java.io.FilePermission "${junit4.childvm.cwd}${/}temp", "read,execute,write,delete";
- permission java.io.FilePermission "${junit4.childvm.cwd}${/}temp${/}-", "read,execute,write,delete";
+ permission java.io.FilePermission "<<ALL FILES>>", "read";
+ permission java.io.FilePermission "${junit4.childvm.cwd}", "read";
+ permission java.io.FilePermission "${junit4.childvm.cwd}${/}temp", "read,write,delete";
+ permission java.io.FilePermission "${junit4.childvm.cwd}${/}temp${/}-", "read,write,delete";
permission java.io.FilePermission "${junit4.childvm.cwd}${/}jacoco.db", "write";
- permission java.io.FilePermission "${junit4.tempDir}${/}*", "read,execute,write,delete";
- permission java.io.FilePermission "${clover.db.dir}${/}-", "read,execute,write,delete";
+ permission java.io.FilePermission "${junit4.tempDir}${/}*", "read,write,delete";
+ permission java.io.FilePermission "${clover.db.dir}${/}-", "read,write,delete";
permission java.io.FilePermission "${tests.linedocsfile}", "read";
permission java.nio.file.LinkPermission "hard";