SOLR-13986: remove execute permission from solr-tests.policy

This commit is contained in:
Robert Muir 2019-12-02 05:36:29 -05:00
parent 5a697344ed
commit 1d238c844e
2 changed files with 69 additions and 6 deletions

View File

@ -41,6 +41,69 @@ public final class TestSecurityManager extends SecurityManager {
super(); super();
} }
// TODO: move this stuff into a Solr (non-test) SecurityManager!
/**
* {@inheritDoc}
* <p>This method implements hacks to workaround hadoop's garbage Shell and FileUtil code
*/
@Override
public void checkExec(String cmd) {
// NOTE: it would be tempting to just allow anything from hadoop's Shell class, but then
// that would just give an easy vector for RCE (use hadoop Shell instead of e.g. ProcessBuilder)
// so we whitelist actual caller impl methods instead.
for (StackTraceElement element : Thread.currentThread().getStackTrace()) {
// hadoop insists on shelling out to get the user's supplementary groups?
if ("org.apache.hadoop.security.ShellBasedUnixGroupsMapping".equals(element.getClassName()) &&
"getGroups".equals(element.getMethodName())) {
return;
}
// hadoop insists on shelling out to parse 'df' command instead of using FileStore?
if ("org.apache.hadoop.fs.DF".equals(element.getClassName()) &&
"getFilesystem".equals(element.getMethodName())) {
return;
}
// hadoop insists on shelling out to parse 'du' command instead of using FileStore?
if ("org.apache.hadoop.fs.DU".equals(element.getClassName()) &&
"refresh".equals(element.getMethodName())) {
return;
}
// hadoop insists on shelling out to parse 'ls' command instead of java nio apis?
if ("org.apache.hadoop.util.DiskChecker".equals(element.getClassName()) &&
"checkDir".equals(element.getMethodName())) {
return;
}
// hadoop insists on shelling out to parse 'stat' command instead of Files.getAttributes?
if ("org.apache.hadoop.fs.HardLink".equals(element.getClassName()) &&
"getLinkCount".equals(element.getMethodName())) {
return;
}
// hadoop "canExecute" method doesn't handle securityexception and fails completely.
// so, lie to it, and tell it we will happily execute, so it does not crash.
if ("org.apache.hadoop.fs.FileUtil".equals(element.getClassName()) &&
"canExecute".equals(element.getMethodName())) {
return;
}
}
super.checkExec(cmd);
}
/**
* {@inheritDoc}
* <p>This method implements hacks to workaround hadoop's garbage FileUtil code
*/
@Override
public void checkWrite(String file) {
for (StackTraceElement element : Thread.currentThread().getStackTrace()) {
// hadoop "canWrite" method doesn't handle securityexception and fails completely.
// so, lie to it, and tell it we will happily write, so it does not crash.
if ("org.apache.hadoop.fs.FileUtil".equals(element.getClassName()) &&
"canWrite".equals(element.getMethodName())) {
return;
}
}
super.checkWrite(file);
}
/** /**
* {@inheritDoc} * {@inheritDoc}
* <p>This method inspects the stack trace and checks who is calling * <p>This method inspects the stack trace and checks who is calling

View File

@ -25,13 +25,13 @@
grant { grant {
// permissions for file access, write access only to sandbox: // permissions for file access, write access only to sandbox:
permission java.io.FilePermission "<<ALL FILES>>", "read,execute"; permission java.io.FilePermission "<<ALL FILES>>", "read";
permission java.io.FilePermission "${junit4.childvm.cwd}", "read,execute"; permission java.io.FilePermission "${junit4.childvm.cwd}", "read";
permission java.io.FilePermission "${junit4.childvm.cwd}${/}temp", "read,execute,write,delete"; permission java.io.FilePermission "${junit4.childvm.cwd}${/}temp", "read,write,delete";
permission java.io.FilePermission "${junit4.childvm.cwd}${/}temp${/}-", "read,execute,write,delete"; permission java.io.FilePermission "${junit4.childvm.cwd}${/}temp${/}-", "read,write,delete";
permission java.io.FilePermission "${junit4.childvm.cwd}${/}jacoco.db", "write"; permission java.io.FilePermission "${junit4.childvm.cwd}${/}jacoco.db", "write";
permission java.io.FilePermission "${junit4.tempDir}${/}*", "read,execute,write,delete"; permission java.io.FilePermission "${junit4.tempDir}${/}*", "read,write,delete";
permission java.io.FilePermission "${clover.db.dir}${/}-", "read,execute,write,delete"; permission java.io.FilePermission "${clover.db.dir}${/}-", "read,write,delete";
permission java.io.FilePermission "${tests.linedocsfile}", "read"; permission java.io.FilePermission "${tests.linedocsfile}", "read";
permission java.nio.file.LinkPermission "hard"; permission java.nio.file.LinkPermission "hard";