286242 Ported jetty-setuid from jetty-6
git-svn-id: svn+ssh://dev.eclipse.org/svnroot/rt/org.eclipse.jetty/jetty/trunk@730 7e9141cc-0065-0410-87d8-b60c137991c4
This commit is contained in:
Greg Wilkins
parent
2c6ba58afe
commit
2097eac0d9
|
|
@ -6,6 +6,7 @@ jetty-7.0.0.RC4-SNAPSHOT
|
||||||
+ JETTY-1079 ResourceCollection.toString
|
+ JETTY-1079 ResourceCollection.toString
|
||||||
+ 279820 Fixed HotSwapHandler
|
+ 279820 Fixed HotSwapHandler
|
||||||
+ JETTY-1080 Ignore files that would be extracted outside the destination directory when unpacking WARs
|
+ JETTY-1080 Ignore files that would be extracted outside the destination directory when unpacking WARs
|
||||||
|
+ 286242 Ported jetty-setuid from jetty-6
|
||||||
|
|
||||||
jetty-7.0.0.RC3 7 August 2009
|
jetty-7.0.0.RC3 7 August 2009
|
||||||
+ 277403 remove system properties
|
+ 277403 remove system properties
|
||||||
|
|
|
||||||
|
|
@ -75,12 +75,12 @@
|
||||||
<scope>provided</scope>
|
<scope>provided</scope>
|
||||||
<exclusions>
|
<exclusions>
|
||||||
<exclusion>
|
<exclusion>
|
||||||
<groupId>org.mortbay.jetty</groupId>
|
<groupId>org.mortbay.jetty</groupId>
|
||||||
<artifactId>servlet-api</artifactId>
|
<artifactId>servlet-api</artifactId>
|
||||||
</exclusion>
|
</exclusion>
|
||||||
<exclusion>
|
<exclusion>
|
||||||
<groupId>javax.servlet</groupId>
|
<groupId>javax.servlet</groupId>
|
||||||
<artifactId>servlet-api</artifactId>
|
<artifactId>servlet-api</artifactId>
|
||||||
</exclusion>
|
</exclusion>
|
||||||
</exclusions>
|
</exclusions>
|
||||||
</dependency>
|
</dependency>
|
||||||
|
|
@ -171,6 +171,18 @@
|
||||||
<version>${project.version}</version>
|
<version>${project.version}</version>
|
||||||
<scope>provided</scope>
|
<scope>provided</scope>
|
||||||
</dependency>
|
</dependency>
|
||||||
|
<dependency>
|
||||||
|
<groupId>org.eclipse.jetty</groupId>
|
||||||
|
<artifactId>jetty-setuid</artifactId>
|
||||||
|
<version>${project.version}</version>
|
||||||
|
<scope>provided</scope>
|
||||||
|
<exclusions>
|
||||||
|
<exclusion>
|
||||||
|
<groupId>net.java.dev.jna</groupId>
|
||||||
|
<artifactId>jna</artifactId>
|
||||||
|
</exclusion>
|
||||||
|
</exclusions>
|
||||||
|
</dependency>
|
||||||
<dependency>
|
<dependency>
|
||||||
<groupId>javax.servlet</groupId>
|
<groupId>javax.servlet</groupId>
|
||||||
<artifactId>servlet-api</artifactId>
|
<artifactId>servlet-api</artifactId>
|
||||||
|
|
@ -209,5 +221,11 @@
|
||||||
<scope>compile</scope>
|
<scope>compile</scope>
|
||||||
<version>3.1</version>
|
<version>3.1</version>
|
||||||
</dependency>
|
</dependency>
|
||||||
|
<dependency>
|
||||||
|
<groupId>net.java.dev.jna</groupId>
|
||||||
|
<artifactId>jna</artifactId>
|
||||||
|
<scope>compile</scope>
|
||||||
|
<version>${jna-version}</version>
|
||||||
|
</dependency>
|
||||||
</dependencies>
|
</dependencies>
|
||||||
</project>
|
</project>
|
||||||
|
|
|
||||||
|
|
@ -179,6 +179,16 @@
|
||||||
<includes>**</includes>
|
<includes>**</includes>
|
||||||
<outputDirectory>${assembly.directory}</outputDirectory>
|
<outputDirectory>${assembly.directory}</outputDirectory>
|
||||||
</artifactItem>
|
</artifactItem>
|
||||||
|
<artifactItem>
|
||||||
|
<groupId>org.eclipse.jetty</groupId>
|
||||||
|
<artifactId>jetty-setuid</artifactId>
|
||||||
|
<version>${project.version}</version>
|
||||||
|
<classifier>config</classifier>
|
||||||
|
<type>jar</type>
|
||||||
|
<overWrite>true</overWrite>
|
||||||
|
<includes>**</includes>
|
||||||
|
<outputDirectory>${assembly.directory}</outputDirectory>
|
||||||
|
</artifactItem>
|
||||||
</artifactItems>
|
</artifactItems>
|
||||||
</configuration>
|
</configuration>
|
||||||
</execution>
|
</execution>
|
||||||
|
|
@ -381,10 +391,18 @@
|
||||||
<outputDirectory>${assembly.directory}</outputDirectory>
|
<outputDirectory>${assembly.directory}</outputDirectory>
|
||||||
<destFileName>start.jar</destFileName>
|
<destFileName>start.jar</destFileName>
|
||||||
</artifactItem>
|
</artifactItem>
|
||||||
|
<artifactItem>
|
||||||
|
<groupId>org.eclipse.jetty</groupId>
|
||||||
|
<artifactId>jetty-setuid</artifactId>
|
||||||
|
<version>${project.version}</version>
|
||||||
|
<type>jar</type>
|
||||||
|
<overWrite>true</overWrite>
|
||||||
|
<includes>**</includes>
|
||||||
|
<outputDirectory>${assembly.directory}/lib</outputDirectory>
|
||||||
|
</artifactItem>
|
||||||
</artifactItems>
|
</artifactItems>
|
||||||
</configuration>
|
</configuration>
|
||||||
</execution>
|
</execution>
|
||||||
<!--
|
|
||||||
<execution>
|
<execution>
|
||||||
<phase>generate-resources</phase>
|
<phase>generate-resources</phase>
|
||||||
<goals>
|
<goals>
|
||||||
|
|
@ -392,6 +410,13 @@
|
||||||
</goals>
|
</goals>
|
||||||
<configuration>
|
<configuration>
|
||||||
<artifactItems>
|
<artifactItems>
|
||||||
|
<artifactItem>
|
||||||
|
<groupId>net.java.dev.jna</groupId>
|
||||||
|
<artifactId>jna</artifactId>
|
||||||
|
<version>${jna-version}</version>
|
||||||
|
<outputDirectory>${assembly.directory}/lib/setuid</outputDirectory>
|
||||||
|
</artifactItem>
|
||||||
|
<!--
|
||||||
<artifactItem>
|
<artifactItem>
|
||||||
<groupId>org.apache.geronimo.specs</groupId>
|
<groupId>org.apache.geronimo.specs</groupId>
|
||||||
<artifactId>geronimo-annotation_1.0_spec</artifactId>
|
<artifactId>geronimo-annotation_1.0_spec</artifactId>
|
||||||
|
|
@ -416,10 +441,10 @@
|
||||||
<version>3.1</version>
|
<version>3.1</version>
|
||||||
<outputDirectory>${assembly.directory}/lib/annotations</outputDirectory>
|
<outputDirectory>${assembly.directory}/lib/annotations</outputDirectory>
|
||||||
</artifactItem>
|
</artifactItem>
|
||||||
|
-->
|
||||||
</artifactItems>
|
</artifactItems>
|
||||||
</configuration>
|
</configuration>
|
||||||
</execution>
|
</execution>
|
||||||
-->
|
|
||||||
</executions>
|
</executions>
|
||||||
</plugin>
|
</plugin>
|
||||||
<plugin>
|
<plugin>
|
||||||
|
|
@ -504,6 +529,11 @@
|
||||||
<artifactId>jetty-policy</artifactId>
|
<artifactId>jetty-policy</artifactId>
|
||||||
<version>${project.version}</version>
|
<version>${project.version}</version>
|
||||||
</dependency>
|
</dependency>
|
||||||
|
<dependency>
|
||||||
|
<groupId>org.eclipse.jetty</groupId>
|
||||||
|
<artifactId>jetty-setuid</artifactId>
|
||||||
|
<version>${project.version}</version>
|
||||||
|
</dependency>
|
||||||
</dependencies>
|
</dependencies>
|
||||||
</project>
|
</project>
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -31,7 +31,7 @@ grant codeBase "file:${jetty.home}/start.jar" {
|
||||||
|
|
||||||
permission java.util.PropertyPermission "main.class", "read";
|
permission java.util.PropertyPermission "main.class", "read";
|
||||||
permission java.util.PropertyPermission "ISO_8859_1", "read";
|
permission java.util.PropertyPermission "ISO_8859_1", "read";
|
||||||
permission javax.security.auth.AuthPermission "modifyPrincipals";
|
permission javax.security.auth.AuthPermission "modifyPrincipals";
|
||||||
|
|
||||||
permission javax.security.auth.AuthPermission "modifyPrivateCredentials";
|
permission javax.security.auth.AuthPermission "modifyPrivateCredentials";
|
||||||
permission javax.security.auth.AuthPermission "setReadOnly";
|
permission javax.security.auth.AuthPermission "setReadOnly";
|
||||||
|
|
@ -52,11 +52,11 @@ grant codeBase "file:${jetty.home}/lib/-" {
|
||||||
permission java.util.PropertyPermission "ROLLOVERFILE_BACKUP_FORMAT", "read";
|
permission java.util.PropertyPermission "ROLLOVERFILE_BACKUP_FORMAT", "read";
|
||||||
|
|
||||||
permission java.util.PropertyPermission "org.eclipse.jetty.server.webapp.parentLoaderPriority", "read";
|
permission java.util.PropertyPermission "org.eclipse.jetty.server.webapp.parentLoaderPriority", "read";
|
||||||
permission java.util.PropertyPermission "org.eclipse.jetty.server.Request.maxFormContentSize", "read";
|
permission java.util.PropertyPermission "org.eclipse.jetty.server.Request.maxFormContentSize", "read";
|
||||||
|
|
||||||
permission javax.security.auth.AuthPermission "modifyPrincipals";
|
permission javax.security.auth.AuthPermission "modifyPrincipals";
|
||||||
permission javax.security.auth.AuthPermission "modifyPrivateCredentials";
|
permission javax.security.auth.AuthPermission "modifyPrivateCredentials";
|
||||||
permission javax.security.auth.AuthPermission "setReadOnly";
|
permission javax.security.auth.AuthPermission "setReadOnly";
|
||||||
|
|
||||||
permission java.io.FilePermission "${jetty.home}${/}-", "read";
|
permission java.io.FilePermission "${jetty.home}${/}-", "read";
|
||||||
permission java.io.FilePermission "${java.io.tmpdir}", "read, write";
|
permission java.io.FilePermission "${java.io.tmpdir}", "read, write";
|
||||||
|
|
@ -77,9 +77,9 @@ grant codeBase "file:${jetty.home}/lib/-" {
|
||||||
permission java.lang.RuntimePermission "accessDeclaredMembers";
|
permission java.lang.RuntimePermission "accessDeclaredMembers";
|
||||||
|
|
||||||
// jetty specific properties
|
// jetty specific properties
|
||||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.DEBUG", "read";
|
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.class", "read";
|
||||||
|
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.stderr.DEBUG", "read";
|
||||||
permission java.util.PropertyPermission "START", "read";
|
permission java.util.PropertyPermission "START", "read";
|
||||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.VERBOSE", "read";
|
|
||||||
permission java.util.PropertyPermission "STOP.PORT", "read";
|
permission java.util.PropertyPermission "STOP.PORT", "read";
|
||||||
permission java.util.PropertyPermission "STOP.KEY", "read";
|
permission java.util.PropertyPermission "STOP.KEY", "read";
|
||||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.IGNORED", "read";
|
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.IGNORED", "read";
|
||||||
|
|
@ -99,7 +99,7 @@ grant codeBase "file:${jetty.home}/lib/-" {
|
||||||
permission java.util.PropertyPermission "jetty.host", "read";
|
permission java.util.PropertyPermission "jetty.host", "read";
|
||||||
permission java.util.PropertyPermission "jetty.port", "read";
|
permission java.util.PropertyPermission "jetty.port", "read";
|
||||||
|
|
||||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.class", "read";
|
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.stderr.class", "read";
|
||||||
|
|
||||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.URI.charset", "read";
|
permission java.util.PropertyPermission "org.eclipse.jetty.util.URI.charset", "read";
|
||||||
|
|
||||||
|
|
@ -121,8 +121,9 @@ grant codeBase "file:${jetty.home}/lib/-" {
|
||||||
// method that takes no argument.
|
// method that takes no argument.
|
||||||
permission java.lang.RuntimePermission "stopThread";
|
permission java.lang.RuntimePermission "stopThread";
|
||||||
|
|
||||||
// jsp support
|
// jsp support
|
||||||
permission java.net.SocketPermission "java.sun.com:80", "connect,resolve";
|
permission java.net.SocketPermission "java.sun.com:80", "connect,resolve";
|
||||||
|
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
|
|
@ -132,11 +133,11 @@ grant codeBase "file:${jetty.home}/lib/-" {
|
||||||
// the tmp directory is where webapps are unpacked by default so setup their restricted permissions
|
// the tmp directory is where webapps are unpacked by default so setup their restricted permissions
|
||||||
//
|
//
|
||||||
grant codeBase "file:${java.io.tmpdir}/-" {
|
grant codeBase "file:${java.io.tmpdir}/-" {
|
||||||
|
|
||||||
permission java.io.FilePermission "${java.io.tmpdir}${/}-", "read";
|
permission java.io.FilePermission "${java.io.tmpdir}${/}-", "read";
|
||||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.class", "read";
|
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.class", "read";
|
||||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.IGNORED", "read";
|
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.IGNORED", "read";
|
||||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.DEBUG", "read";
|
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.stderr.DEBUG", "read";
|
||||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.VERBOSE", "read";
|
|
||||||
};
|
};
|
||||||
|
|
||||||
//
|
//
|
||||||
|
|
@ -146,8 +147,7 @@ grant codeBase "file:/private${java.io.tmpdir}/-" {
|
||||||
|
|
||||||
permission java.io.FilePermission "/private/${java.io.tmpdir}/-", "read";
|
permission java.io.FilePermission "/private/${java.io.tmpdir}/-", "read";
|
||||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.class", "read";
|
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.class", "read";
|
||||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.DEBUG", "read";
|
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.stderr.DEBUG", "read";
|
||||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.VERBOSE", "read";
|
|
||||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.IGNORED", "read";
|
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.IGNORED", "read";
|
||||||
|
|
||||||
};
|
};
|
||||||
|
|
@ -160,8 +160,7 @@ grant codeBase "file:${jetty.home}/work/-" {
|
||||||
|
|
||||||
permission java.io.FilePermission "${jetty.home}${/}work${/}-", "read";
|
permission java.io.FilePermission "${jetty.home}${/}work${/}-", "read";
|
||||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.class", "read";
|
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.class", "read";
|
||||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.DEBUG", "read";
|
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.stderr.DEBUG", "read";
|
||||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.VERBOSE", "read";
|
|
||||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.IGNORED", "read";
|
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.IGNORED", "read";
|
||||||
|
|
||||||
};
|
};
|
||||||
|
|
@ -176,6 +175,9 @@ grant codeBase "file:${jetty.home}/work/-" {
|
||||||
grant {
|
grant {
|
||||||
// allows anyone to listen on un-privileged ports
|
// allows anyone to listen on un-privileged ports
|
||||||
permission java.net.SocketPermission "localhost:1024-", "listen";
|
permission java.net.SocketPermission "localhost:1024-", "listen";
|
||||||
|
permission java.net.SocketPermission "localhost:1024-", "accept";
|
||||||
|
|
||||||
|
permission java.util.PropertyPermission "org.eclipse.jetty.io.nio.JVMBUG_THRESHHOLD", "read, write";
|
||||||
|
|
||||||
// "standard" properties that can be read by anyone
|
// "standard" properties that can be read by anyone
|
||||||
permission java.util.PropertyPermission "java.version", "read";
|
permission java.util.PropertyPermission "java.version", "read";
|
||||||
|
|
|
||||||
|
|
@ -1,207 +0,0 @@
|
||||||
//
|
|
||||||
//
|
|
||||||
// Default security policy for jetty
|
|
||||||
//
|
|
||||||
// Note: this is still a work in progress
|
|
||||||
|
|
||||||
// start.jar
|
|
||||||
grant codeBase "file:${jetty.home}/start.jar" {
|
|
||||||
|
|
||||||
permission java.io.FilePermission "${jetty.home}${/}-", "read";
|
|
||||||
|
|
||||||
permission java.lang.RuntimePermission "createClassLoader";
|
|
||||||
permission java.lang.RuntimePermission "setContextClassLoader";
|
|
||||||
permission java.security.SecurityPermission "getPolicy";
|
|
||||||
permission java.lang.RuntimePermission "accessDeclaredMembers";
|
|
||||||
|
|
||||||
permission java.util.PropertyPermission "jetty.home", "read, write";
|
|
||||||
|
|
||||||
permission java.util.PropertyPermission "user.home", "read";
|
|
||||||
|
|
||||||
permission java.util.PropertyPermission "jetty.class.path", "read, write";
|
|
||||||
permission java.util.PropertyPermission "java.class.path", "read, write";
|
|
||||||
|
|
||||||
permission java.util.PropertyPermission "repository", "read, write";
|
|
||||||
|
|
||||||
permission java.util.PropertyPermission "jetty.lib", "read";
|
|
||||||
permission java.util.PropertyPermission "jetty.server", "read";
|
|
||||||
permission java.util.PropertyPermission "jetty.host", "read";
|
|
||||||
permission java.util.PropertyPermission "jetty.port", "read";
|
|
||||||
permission java.util.PropertyPermission "start.class", "read";
|
|
||||||
|
|
||||||
permission java.util.PropertyPermission "main.class", "read";
|
|
||||||
permission java.util.PropertyPermission "ISO_8859_1", "read";
|
|
||||||
permission javax.security.auth.AuthPermission "modifyPrincipals";
|
|
||||||
|
|
||||||
permission javax.security.auth.AuthPermission "modifyPrivateCredentials";
|
|
||||||
permission javax.security.auth.AuthPermission "setReadOnly";
|
|
||||||
permission java.lang.RuntimePermission "getClassLoader";
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
//
|
|
||||||
// jetty system classes
|
|
||||||
//
|
|
||||||
grant codeBase "file:${jetty.home}/lib/-" {
|
|
||||||
|
|
||||||
permission java.lang.RuntimePermission "getClassLoader";
|
|
||||||
|
|
||||||
permission java.util.PropertyPermission "org.eclipse.jetty.webapp.WebAppClassLoader.extensions", "read";
|
|
||||||
permission java.util.PropertyPermission "org.eclipse.http.PathMap.separators", "read";
|
|
||||||
|
|
||||||
permission java.util.PropertyPermission "ROLLOVERFILE_BACKUP_FORMAT", "read";
|
|
||||||
|
|
||||||
permission java.util.PropertyPermission "org.eclipse.jetty.server.webapp.parentLoaderPriority", "read";
|
|
||||||
permission java.util.PropertyPermission "org.eclipse.jetty.server.Request.maxFormContentSize", "read";
|
|
||||||
|
|
||||||
permission javax.security.auth.AuthPermission "modifyPrincipals";
|
|
||||||
permission javax.security.auth.AuthPermission "modifyPrivateCredentials";
|
|
||||||
permission javax.security.auth.AuthPermission "setReadOnly";
|
|
||||||
|
|
||||||
permission java.io.FilePermission "${jetty.home}${/}-", "read";
|
|
||||||
permission java.io.FilePermission "${java.io.tmpdir}", "read, write";
|
|
||||||
permission java.io.FilePermission "${java.io.tmpdir}${/}-", "read, write";
|
|
||||||
permission java.io.FilePermission "${/}private${/}${java.io.tmpdir}", "read, write";
|
|
||||||
permission java.io.FilePermission "${/}private${/}${java.io.tmpdir}${/}-", "read, write";
|
|
||||||
|
|
||||||
permission java.io.FilePermission "${java.io.tmpdir}${/}-", "delete";
|
|
||||||
|
|
||||||
|
|
||||||
permission java.io.FilePermission "${jetty.home}${/}logs", "read, write";
|
|
||||||
permission java.io.FilePermission "${jetty.home}${/}logs${/}*", "read, write";
|
|
||||||
|
|
||||||
permission java.lang.RuntimePermission "createClassLoader";
|
|
||||||
permission java.lang.RuntimePermission "setContextClassLoader";
|
|
||||||
|
|
||||||
permission java.security.SecurityPermission "getPolicy";
|
|
||||||
permission java.lang.RuntimePermission "accessDeclaredMembers";
|
|
||||||
|
|
||||||
// jetty specific properties
|
|
||||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.class", "read";
|
|
||||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.stderr.DEBUG", "read";
|
|
||||||
permission java.util.PropertyPermission "START", "read";
|
|
||||||
permission java.util.PropertyPermission "STOP.PORT", "read";
|
|
||||||
permission java.util.PropertyPermission "STOP.KEY", "read";
|
|
||||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.IGNORED", "read";
|
|
||||||
permission java.util.PropertyPermission "CLASSPATH", "read";
|
|
||||||
permission java.util.PropertyPermission "OPTIONS", "read";
|
|
||||||
permission java.util.PropertyPermission "JETTY_NO_SHUTDOWN_HOOK", "read";
|
|
||||||
permission java.util.PropertyPermission "ISO_8859_1", "read";
|
|
||||||
permission java.util.PropertyPermission "jetty.home", "read, write";
|
|
||||||
|
|
||||||
permission java.util.PropertyPermission "user.home", "read";
|
|
||||||
|
|
||||||
permission java.util.PropertyPermission "jetty.class.path", "read, write";
|
|
||||||
permission java.util.PropertyPermission "java.class.path", "read, write";
|
|
||||||
|
|
||||||
permission java.util.PropertyPermission "jetty.lib", "read";
|
|
||||||
permission java.util.PropertyPermission "jetty.server", "read";
|
|
||||||
permission java.util.PropertyPermission "jetty.host", "read";
|
|
||||||
permission java.util.PropertyPermission "jetty.port", "read";
|
|
||||||
|
|
||||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.stderr.class", "read";
|
|
||||||
|
|
||||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.URI.charset", "read";
|
|
||||||
|
|
||||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.FileResource.checkAliases", "read";
|
|
||||||
|
|
||||||
permission java.util.PropertyPermission "org.eclipse.jetty.xml.XmlParser.Validating", "read";
|
|
||||||
|
|
||||||
permission java.util.PropertyPermission "org.eclipse.jetty.io.nio.JVMBUG_THRESHHOLD", "read, write";
|
|
||||||
|
|
||||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.TypeUtil.IntegerCacheSize", "read, write";
|
|
||||||
|
|
||||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.TypeUtil.LongCacheSize", "read";
|
|
||||||
|
|
||||||
// provides access to webapps
|
|
||||||
permission java.io.FilePermission "${jetty.home}${/}webapps${/}-", "read"; // Ought to go up a specific codebase
|
|
||||||
|
|
||||||
|
|
||||||
// Allows any thread to stop itself using the java.lang.Thread.stop()
|
|
||||||
// method that takes no argument.
|
|
||||||
permission java.lang.RuntimePermission "stopThread";
|
|
||||||
|
|
||||||
// jsp support
|
|
||||||
permission java.net.SocketPermission "java.sun.com:80", "connect,resolve";
|
|
||||||
|
|
||||||
};
|
|
||||||
|
|
||||||
|
|
||||||
// TODO template these, maybe make them setup based on OS or something
|
|
||||||
|
|
||||||
//
|
|
||||||
// the tmp directory is where webapps are unpacked by default so setup their restricted permissions
|
|
||||||
//
|
|
||||||
grant codeBase "file:${java.io.tmpdir}/-" {
|
|
||||||
|
|
||||||
permission java.io.FilePermission "${java.io.tmpdir}${/}-", "read";
|
|
||||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.class", "read";
|
|
||||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.IGNORED", "read";
|
|
||||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.stderr.DEBUG", "read";
|
|
||||||
};
|
|
||||||
|
|
||||||
//
|
|
||||||
// some operating systems have tmp as a symbolic link to /private/tmp
|
|
||||||
//
|
|
||||||
grant codeBase "file:/private${java.io.tmpdir}/-" {
|
|
||||||
|
|
||||||
permission java.io.FilePermission "/private/${java.io.tmpdir}/-", "read";
|
|
||||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.class", "read";
|
|
||||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.stderr.DEBUG", "read";
|
|
||||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.IGNORED", "read";
|
|
||||||
|
|
||||||
};
|
|
||||||
|
|
||||||
//
|
|
||||||
// The work directory can be used for unpacking war files so should have the same default
|
|
||||||
// permissions as the tmp directory
|
|
||||||
//
|
|
||||||
grant codeBase "file:${jetty.home}/work/-" {
|
|
||||||
|
|
||||||
permission java.io.FilePermission "${jetty.home}${/}work${/}-", "read";
|
|
||||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.class", "read";
|
|
||||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.stderr.DEBUG", "read";
|
|
||||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.IGNORED", "read";
|
|
||||||
|
|
||||||
};
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
//
|
|
||||||
//
|
|
||||||
// default permissions granted to all domains
|
|
||||||
//
|
|
||||||
//
|
|
||||||
grant {
|
|
||||||
// allows anyone to listen on un-privileged ports
|
|
||||||
permission java.net.SocketPermission "localhost:1024-", "listen";
|
|
||||||
permission java.net.SocketPermission "localhost:1024-", "accept";
|
|
||||||
|
|
||||||
permission java.util.PropertyPermission "org.eclipse.jetty.io.nio.JVMBUG_THRESHHOLD", "read, write";
|
|
||||||
|
|
||||||
// "standard" properties that can be read by anyone
|
|
||||||
permission java.util.PropertyPermission "java.version", "read";
|
|
||||||
permission java.util.PropertyPermission "java.vendor", "read";
|
|
||||||
permission java.util.PropertyPermission "java.vendor.url", "read";
|
|
||||||
permission java.util.PropertyPermission "java.class.version", "read";
|
|
||||||
permission java.util.PropertyPermission "os.name", "read";
|
|
||||||
permission java.util.PropertyPermission "os.version", "read";
|
|
||||||
permission java.util.PropertyPermission "os.arch", "read";
|
|
||||||
permission java.util.PropertyPermission "file.separator", "read";
|
|
||||||
permission java.util.PropertyPermission "path.separator", "read";
|
|
||||||
permission java.util.PropertyPermission "line.separator", "read";
|
|
||||||
permission java.util.PropertyPermission "java.io.tmpdir", "read";
|
|
||||||
|
|
||||||
permission java.util.PropertyPermission "java.specification.version", "read";
|
|
||||||
permission java.util.PropertyPermission "java.specification.vendor", "read";
|
|
||||||
permission java.util.PropertyPermission "java.specification.name", "read";
|
|
||||||
|
|
||||||
permission java.util.PropertyPermission "java.vm.specification.version", "read";
|
|
||||||
permission java.util.PropertyPermission "java.vm.specification.vendor", "read";
|
|
||||||
permission java.util.PropertyPermission "java.vm.specification.name", "read";
|
|
||||||
permission java.util.PropertyPermission "java.vm.version", "read";
|
|
||||||
permission java.util.PropertyPermission "java.vm.vendor", "read";
|
|
||||||
permission java.util.PropertyPermission "java.vm.name", "read";
|
|
||||||
};
|
|
||||||
|
|
||||||
|
|
||||||
|
|
@ -0,0 +1,12 @@
|
||||||
|
Configuration
|
||||||
|
-------------
|
||||||
|
|
||||||
|
Change etc/jetty-setuid.xml to use the userid you want.
|
||||||
|
|
||||||
|
|
||||||
|
Running
|
||||||
|
-------
|
||||||
|
In the top level jetty directory do:
|
||||||
|
|
||||||
|
sudo java -jar start.jar etc/jetty-setuid.xml etc/jetty.xml
|
||||||
|
|
||||||
|
|
@ -0,0 +1,83 @@
|
||||||
|
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
|
||||||
|
<parent>
|
||||||
|
<groupId>org.eclipse.jetty</groupId>
|
||||||
|
<artifactId>jetty-project</artifactId>
|
||||||
|
<version>7.0.0.RC4-SNAPSHOT</version>
|
||||||
|
</parent>
|
||||||
|
<modelVersion>4.0.0</modelVersion>
|
||||||
|
<artifactId>jetty-setuid</artifactId>
|
||||||
|
<name>Jetty :: SetUID</name>
|
||||||
|
<description>SetUID Support for using reserved ports and dropping privileges on startup</description>
|
||||||
|
<build>
|
||||||
|
<plugins>
|
||||||
|
<plugin>
|
||||||
|
<groupId>org.apache.felix</groupId>
|
||||||
|
<artifactId>maven-bundle-plugin</artifactId>
|
||||||
|
<version>${felix.bundle.version}</version>
|
||||||
|
<extensions>true</extensions>
|
||||||
|
<executions>
|
||||||
|
<execution>
|
||||||
|
<goals>
|
||||||
|
<goal>manifest</goal>
|
||||||
|
</goals>
|
||||||
|
</execution>
|
||||||
|
</executions>
|
||||||
|
</plugin>
|
||||||
|
<plugin>
|
||||||
|
<!--
|
||||||
|
Required for OSGI
|
||||||
|
-->
|
||||||
|
<groupId>org.apache.maven.plugins</groupId>
|
||||||
|
<artifactId>maven-jar-plugin</artifactId>
|
||||||
|
<configuration>
|
||||||
|
<archive>
|
||||||
|
<manifestFile>${project.build.outputDirectory}/META-INF/MANIFEST.MF</manifestFile>
|
||||||
|
</archive>
|
||||||
|
</configuration>
|
||||||
|
</plugin>
|
||||||
|
<plugin>
|
||||||
|
<groupId>org.apache.maven.plugins</groupId>
|
||||||
|
<artifactId>maven-assembly-plugin</artifactId>
|
||||||
|
<executions>
|
||||||
|
<execution>
|
||||||
|
<phase>package</phase>
|
||||||
|
<goals>
|
||||||
|
<goal>single</goal>
|
||||||
|
</goals>
|
||||||
|
<configuration>
|
||||||
|
<descriptors>
|
||||||
|
<descriptor>config.xml</descriptor>
|
||||||
|
</descriptors>
|
||||||
|
</configuration>
|
||||||
|
</execution>
|
||||||
|
</executions>
|
||||||
|
</plugin>
|
||||||
|
</plugins>
|
||||||
|
</build>
|
||||||
|
<dependencies>
|
||||||
|
<dependency>
|
||||||
|
<groupId>org.eclipse.jetty</groupId>
|
||||||
|
<artifactId>jetty-util</artifactId>
|
||||||
|
<version>${project.version}</version>
|
||||||
|
</dependency>
|
||||||
|
<dependency>
|
||||||
|
<groupId>net.java.dev.jna</groupId>
|
||||||
|
<artifactId>jna</artifactId>
|
||||||
|
<version>${jna-version}</version>
|
||||||
|
<type>jar</type>
|
||||||
|
<optional>false</optional>
|
||||||
|
</dependency>
|
||||||
|
<dependency>
|
||||||
|
<groupId>org.eclipse.jetty</groupId>
|
||||||
|
<artifactId>jetty-server</artifactId>
|
||||||
|
<version>${project.version}</version>
|
||||||
|
</dependency>
|
||||||
|
</dependencies>
|
||||||
|
<repositories>
|
||||||
|
<repository>
|
||||||
|
<id>java-net-repo</id>
|
||||||
|
<name>Java.net Repository</name>
|
||||||
|
<url>http://download.java.net/maven/2</url>
|
||||||
|
</repository>
|
||||||
|
</repositories>
|
||||||
|
</project>
|
||||||
|
|
@ -0,0 +1,16 @@
|
||||||
|
<?xml version="1.0"?>
|
||||||
|
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure.dtd">
|
||||||
|
|
||||||
|
<!-- =============================================================== -->
|
||||||
|
<!-- Configure the Jetty SetUIDServer -->
|
||||||
|
<!-- this configuration file should be used in combination with -->
|
||||||
|
<!-- other configuration files. e.g. -->
|
||||||
|
<!-- java -jar start.jar etc/jetty-setuid.xml etc/jetty.xml -->
|
||||||
|
<!-- =============================================================== -->
|
||||||
|
<Configure id="Server" class="org.eclipse.jetty.setuid.SetUIDServer">
|
||||||
|
<Set name="startServerAsPrivileged">false</Set>
|
||||||
|
<Set name="umask">2</Set>
|
||||||
|
<Set name="uid">2001</Set>
|
||||||
|
<Set name="gid">2001</Set>
|
||||||
|
</Configure>
|
||||||
|
|
||||||
|
|
@ -0,0 +1,48 @@
|
||||||
|
package org.eclipse.jetty.setuid;
|
||||||
|
|
||||||
|
import com.sun.jna.Library;
|
||||||
|
import com.sun.jna.Native;
|
||||||
|
import com.sun.jna.Platform;
|
||||||
|
|
||||||
|
public class SetUID {
|
||||||
|
public static final int OK = 0;
|
||||||
|
public static final int ERROR = -1;
|
||||||
|
|
||||||
|
public interface CLibrary extends Library {
|
||||||
|
CLibrary INSTANCE = (CLibrary) Native.loadLibrary((Platform.isWindows() ? "msvcrt" : "c"), CLibrary.class);
|
||||||
|
|
||||||
|
int umask(int umask);
|
||||||
|
|
||||||
|
int setuid(int uid);
|
||||||
|
|
||||||
|
int setgid(int gid);
|
||||||
|
|
||||||
|
int getuid();
|
||||||
|
|
||||||
|
int geteuid();
|
||||||
|
}
|
||||||
|
|
||||||
|
public static int setumask(int umask) {
|
||||||
|
if (Platform.isWindows())
|
||||||
|
return OK;
|
||||||
|
return CLibrary.INSTANCE.umask(umask);
|
||||||
|
}
|
||||||
|
|
||||||
|
public static int setuid(int uid) {
|
||||||
|
if (Platform.isWindows())
|
||||||
|
return OK;
|
||||||
|
return CLibrary.INSTANCE.setuid(uid);
|
||||||
|
}
|
||||||
|
|
||||||
|
public static int setgid(int gid) {
|
||||||
|
if (Platform.isWindows())
|
||||||
|
return OK;
|
||||||
|
return CLibrary.INSTANCE.setgid(gid);
|
||||||
|
}
|
||||||
|
|
||||||
|
public static int getuid() {
|
||||||
|
if (Platform.isWindows())
|
||||||
|
return -1;
|
||||||
|
return CLibrary.INSTANCE.getuid();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
@ -0,0 +1,108 @@
|
||||||
|
package org.eclipse.jetty.setuid;
|
||||||
|
|
||||||
|
import org.eclipse.jetty.server.Connector;
|
||||||
|
import org.eclipse.jetty.server.Server;
|
||||||
|
import org.eclipse.jetty.util.log.Log;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* This extension of {@link Server} will make a JNA call to set the unix UID.
|
||||||
|
*
|
||||||
|
* This can be used to start the server as root so that privileged ports may be accessed and then switch to a non-root
|
||||||
|
* user for security. Depending on the value of {@link #setStartServerAsPrivileged(boolean)}, either the server will be
|
||||||
|
* started and then the UID set; or the {@link Server#getConnectors()} will be opened with a call to
|
||||||
|
* {@link Connector#open()}, the UID set and then the server is started. The later is the default and avoids any
|
||||||
|
* webapplication code being run as a privileged user, but will not work if the application code also needs to open
|
||||||
|
* privileged ports.
|
||||||
|
*
|
||||||
|
*<p>
|
||||||
|
* The configured umask is set before the server is started and the configured uid is set after the server is started.
|
||||||
|
* </p>
|
||||||
|
*
|
||||||
|
* @author gregw
|
||||||
|
* @author q
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
public class SetUIDServer extends Server {
|
||||||
|
int _uid = 0;
|
||||||
|
int _gid = 0;
|
||||||
|
int _umask = 0;
|
||||||
|
boolean _startServerAsPrivileged;
|
||||||
|
|
||||||
|
public int getUmask() {
|
||||||
|
return _umask;
|
||||||
|
}
|
||||||
|
|
||||||
|
public void setUmask(int umask) {
|
||||||
|
_umask = umask;
|
||||||
|
}
|
||||||
|
|
||||||
|
public int getUid() {
|
||||||
|
return _uid;
|
||||||
|
}
|
||||||
|
|
||||||
|
public void setUid(int uid) {
|
||||||
|
_uid = uid;
|
||||||
|
}
|
||||||
|
|
||||||
|
public void setGid(int gid) {
|
||||||
|
_gid = gid;
|
||||||
|
}
|
||||||
|
|
||||||
|
public int getGid() {
|
||||||
|
return _gid;
|
||||||
|
}
|
||||||
|
|
||||||
|
protected void doStart() throws Exception {
|
||||||
|
if (_umask != 0) {
|
||||||
|
Log.info("Setting umask=0" + Integer.toString(_umask, 8));
|
||||||
|
SetUID.setumask(_umask);
|
||||||
|
}
|
||||||
|
|
||||||
|
if (_startServerAsPrivileged) {
|
||||||
|
super.doStart();
|
||||||
|
dropPrivs();
|
||||||
|
} else {
|
||||||
|
Connector[] connectors = getConnectors();
|
||||||
|
for (int i = 0; connectors != null && i < connectors.length; i++)
|
||||||
|
connectors[i].open();
|
||||||
|
dropPrivs();
|
||||||
|
super.doStart();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
private void dropPrivs() {
|
||||||
|
int uid = SetUID.getuid();
|
||||||
|
if (uid != 0) {
|
||||||
|
Log.warn("Expected to be running UID = 0, but got UID = " + uid);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
if (_gid != 0) {
|
||||||
|
Log.info("Setting GID=" + _gid);
|
||||||
|
SetUID.setgid(_gid);
|
||||||
|
}
|
||||||
|
if (_uid != 0) {
|
||||||
|
Log.info("Setting UID=" + _uid);
|
||||||
|
SetUID.setuid(_uid);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/* ------------------------------------------------------------ */
|
||||||
|
/**
|
||||||
|
* @return the startServerAsPrivileged
|
||||||
|
*/
|
||||||
|
public boolean isStartServerAsPrivileged() {
|
||||||
|
return _startServerAsPrivileged;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* ------------------------------------------------------------ */
|
||||||
|
/**
|
||||||
|
* @see {@link Connector#open()}
|
||||||
|
* @param startServerAsPrivileged
|
||||||
|
* if true, the server is started and then the process UID is switched. If false, the connectors are opened,
|
||||||
|
* the UID is switched and then the server is started.
|
||||||
|
*/
|
||||||
|
public void setStartServerAsPrivileged(boolean startContextsAsPrivileged) {
|
||||||
|
_startServerAsPrivileged = startContextsAsPrivileged;
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
@ -131,9 +131,13 @@ $(jetty.home)/lib/jndi/**
|
||||||
$(jetty.home)/lib/jetty-annotations-$(version).jar ! available org.eclipse.jetty.annotations.AnnotationFinder
|
$(jetty.home)/lib/jetty-annotations-$(version).jar ! available org.eclipse.jetty.annotations.AnnotationFinder
|
||||||
$(jetty.home)/lib/annotations/** exists $(jetty.home)/lib/jndi
|
$(jetty.home)/lib/annotations/** exists $(jetty.home)/lib/jndi
|
||||||
|
|
||||||
|
[All,setuid]
|
||||||
|
$(jetty.home)/lib/jetty-setuid-$(version).jar ! available org.eclipse.jetty.setuid.SetUID
|
||||||
|
$(jetty.home)/lib/setuid/**
|
||||||
|
|
||||||
[All,policy]
|
[All,policy]
|
||||||
$(jetty.home)/lib/jetty-policy-$(version).jar ! available org.eclipse.jetty.policy.JettyPolicy
|
$(jetty.home)/lib/jetty-policy-$(version).jar ! available org.eclipse.jetty.policy.JettyPolicy
|
||||||
$(jetty.home)/lib/security/jetty.policy
|
$(jetty.home)/lib/policy/**
|
||||||
|
|
||||||
[All,client]
|
[All,client]
|
||||||
$(jetty.home)/lib/jetty-http-$(version).jar ! available org.eclipse.jetty.http.HttpParser
|
$(jetty.home)/lib/jetty-http-$(version).jar ! available org.eclipse.jetty.http.HttpParser
|
||||||
|
|
|
||||||
11
pom.xml
11
pom.xml
|
|
@ -23,8 +23,9 @@
|
||||||
<slf4j-version>1.5.6</slf4j-version>
|
<slf4j-version>1.5.6</slf4j-version>
|
||||||
<eclipse-compiler-version>3.1.1</eclipse-compiler-version>
|
<eclipse-compiler-version>3.1.1</eclipse-compiler-version>
|
||||||
<cometd-version>1.0.beta4</cometd-version>
|
<cometd-version>1.0.beta4</cometd-version>
|
||||||
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
|
<jna-version>3.2.2</jna-version>
|
||||||
</properties>
|
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
|
||||||
|
</properties>
|
||||||
<scm>
|
<scm>
|
||||||
<connection>scm:svn:http://dev.eclipse.org/svnroot/rt/org.eclipse.jetty/jetty/trunk</connection>
|
<connection>scm:svn:http://dev.eclipse.org/svnroot/rt/org.eclipse.jetty/jetty/trunk</connection>
|
||||||
<developerConnection>scm:svn:svn+ssh://dev.eclipse.org/svnroot/rt/org.eclipse.jetty/jetty/trunk</developerConnection>
|
<developerConnection>scm:svn:svn+ssh://dev.eclipse.org/svnroot/rt/org.eclipse.jetty/jetty/trunk</developerConnection>
|
||||||
|
|
@ -142,6 +143,7 @@
|
||||||
<module>jetty-rewrite</module>
|
<module>jetty-rewrite</module>
|
||||||
<module>jetty-policy</module>
|
<module>jetty-policy</module>
|
||||||
<module>jetty-start</module>
|
<module>jetty-start</module>
|
||||||
|
<module>jetty-setuid</module>
|
||||||
<module>test-continuation</module>
|
<module>test-continuation</module>
|
||||||
<module>test-continuation-jetty6</module>
|
<module>test-continuation-jetty6</module>
|
||||||
<module>test-jetty-servlet</module>
|
<module>test-jetty-servlet</module>
|
||||||
|
|
@ -203,6 +205,11 @@
|
||||||
<artifactId>activation</artifactId>
|
<artifactId>activation</artifactId>
|
||||||
<version>${activation-version}</version>
|
<version>${activation-version}</version>
|
||||||
</dependency>
|
</dependency>
|
||||||
|
<dependency>
|
||||||
|
<groupId>net.java.dev.jna</groupId>
|
||||||
|
<artifactId>jna</artifactId>
|
||||||
|
<version>${jna-version}</version>
|
||||||
|
</dependency>
|
||||||
</dependencies>
|
</dependencies>
|
||||||
</dependencyManagement>
|
</dependencyManagement>
|
||||||
<!--
|
<!--
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue