286242 Ported jetty-setuid from jetty-6
git-svn-id: svn+ssh://dev.eclipse.org/svnroot/rt/org.eclipse.jetty/jetty/trunk@730 7e9141cc-0065-0410-87d8-b60c137991c4
This commit is contained in:
parent
2c6ba58afe
commit
2097eac0d9
|
@ -6,6 +6,7 @@ jetty-7.0.0.RC4-SNAPSHOT
|
|||
+ JETTY-1079 ResourceCollection.toString
|
||||
+ 279820 Fixed HotSwapHandler
|
||||
+ JETTY-1080 Ignore files that would be extracted outside the destination directory when unpacking WARs
|
||||
+ 286242 Ported jetty-setuid from jetty-6
|
||||
|
||||
jetty-7.0.0.RC3 7 August 2009
|
||||
+ 277403 remove system properties
|
||||
|
|
|
@ -171,6 +171,18 @@
|
|||
<version>${project.version}</version>
|
||||
<scope>provided</scope>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.eclipse.jetty</groupId>
|
||||
<artifactId>jetty-setuid</artifactId>
|
||||
<version>${project.version}</version>
|
||||
<scope>provided</scope>
|
||||
<exclusions>
|
||||
<exclusion>
|
||||
<groupId>net.java.dev.jna</groupId>
|
||||
<artifactId>jna</artifactId>
|
||||
</exclusion>
|
||||
</exclusions>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>javax.servlet</groupId>
|
||||
<artifactId>servlet-api</artifactId>
|
||||
|
@ -209,5 +221,11 @@
|
|||
<scope>compile</scope>
|
||||
<version>3.1</version>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>net.java.dev.jna</groupId>
|
||||
<artifactId>jna</artifactId>
|
||||
<scope>compile</scope>
|
||||
<version>${jna-version}</version>
|
||||
</dependency>
|
||||
</dependencies>
|
||||
</project>
|
||||
|
|
|
@ -179,6 +179,16 @@
|
|||
<includes>**</includes>
|
||||
<outputDirectory>${assembly.directory}</outputDirectory>
|
||||
</artifactItem>
|
||||
<artifactItem>
|
||||
<groupId>org.eclipse.jetty</groupId>
|
||||
<artifactId>jetty-setuid</artifactId>
|
||||
<version>${project.version}</version>
|
||||
<classifier>config</classifier>
|
||||
<type>jar</type>
|
||||
<overWrite>true</overWrite>
|
||||
<includes>**</includes>
|
||||
<outputDirectory>${assembly.directory}</outputDirectory>
|
||||
</artifactItem>
|
||||
</artifactItems>
|
||||
</configuration>
|
||||
</execution>
|
||||
|
@ -381,10 +391,18 @@
|
|||
<outputDirectory>${assembly.directory}</outputDirectory>
|
||||
<destFileName>start.jar</destFileName>
|
||||
</artifactItem>
|
||||
<artifactItem>
|
||||
<groupId>org.eclipse.jetty</groupId>
|
||||
<artifactId>jetty-setuid</artifactId>
|
||||
<version>${project.version}</version>
|
||||
<type>jar</type>
|
||||
<overWrite>true</overWrite>
|
||||
<includes>**</includes>
|
||||
<outputDirectory>${assembly.directory}/lib</outputDirectory>
|
||||
</artifactItem>
|
||||
</artifactItems>
|
||||
</configuration>
|
||||
</execution>
|
||||
<!--
|
||||
<execution>
|
||||
<phase>generate-resources</phase>
|
||||
<goals>
|
||||
|
@ -392,6 +410,13 @@
|
|||
</goals>
|
||||
<configuration>
|
||||
<artifactItems>
|
||||
<artifactItem>
|
||||
<groupId>net.java.dev.jna</groupId>
|
||||
<artifactId>jna</artifactId>
|
||||
<version>${jna-version}</version>
|
||||
<outputDirectory>${assembly.directory}/lib/setuid</outputDirectory>
|
||||
</artifactItem>
|
||||
<!--
|
||||
<artifactItem>
|
||||
<groupId>org.apache.geronimo.specs</groupId>
|
||||
<artifactId>geronimo-annotation_1.0_spec</artifactId>
|
||||
|
@ -416,10 +441,10 @@
|
|||
<version>3.1</version>
|
||||
<outputDirectory>${assembly.directory}/lib/annotations</outputDirectory>
|
||||
</artifactItem>
|
||||
-->
|
||||
</artifactItems>
|
||||
</configuration>
|
||||
</execution>
|
||||
-->
|
||||
</executions>
|
||||
</plugin>
|
||||
<plugin>
|
||||
|
@ -504,6 +529,11 @@
|
|||
<artifactId>jetty-policy</artifactId>
|
||||
<version>${project.version}</version>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.eclipse.jetty</groupId>
|
||||
<artifactId>jetty-setuid</artifactId>
|
||||
<version>${project.version}</version>
|
||||
</dependency>
|
||||
</dependencies>
|
||||
</project>
|
||||
|
||||
|
|
|
@ -77,9 +77,9 @@ grant codeBase "file:${jetty.home}/lib/-" {
|
|||
permission java.lang.RuntimePermission "accessDeclaredMembers";
|
||||
|
||||
// jetty specific properties
|
||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.DEBUG", "read";
|
||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.class", "read";
|
||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.stderr.DEBUG", "read";
|
||||
permission java.util.PropertyPermission "START", "read";
|
||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.VERBOSE", "read";
|
||||
permission java.util.PropertyPermission "STOP.PORT", "read";
|
||||
permission java.util.PropertyPermission "STOP.KEY", "read";
|
||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.IGNORED", "read";
|
||||
|
@ -99,7 +99,7 @@ grant codeBase "file:${jetty.home}/lib/-" {
|
|||
permission java.util.PropertyPermission "jetty.host", "read";
|
||||
permission java.util.PropertyPermission "jetty.port", "read";
|
||||
|
||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.class", "read";
|
||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.stderr.class", "read";
|
||||
|
||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.URI.charset", "read";
|
||||
|
||||
|
@ -123,6 +123,7 @@ grant codeBase "file:${jetty.home}/lib/-" {
|
|||
|
||||
// jsp support
|
||||
permission java.net.SocketPermission "java.sun.com:80", "connect,resolve";
|
||||
|
||||
};
|
||||
|
||||
|
||||
|
@ -132,11 +133,11 @@ grant codeBase "file:${jetty.home}/lib/-" {
|
|||
// the tmp directory is where webapps are unpacked by default so setup their restricted permissions
|
||||
//
|
||||
grant codeBase "file:${java.io.tmpdir}/-" {
|
||||
|
||||
permission java.io.FilePermission "${java.io.tmpdir}${/}-", "read";
|
||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.class", "read";
|
||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.IGNORED", "read";
|
||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.DEBUG", "read";
|
||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.VERBOSE", "read";
|
||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.stderr.DEBUG", "read";
|
||||
};
|
||||
|
||||
//
|
||||
|
@ -146,8 +147,7 @@ grant codeBase "file:/private${java.io.tmpdir}/-" {
|
|||
|
||||
permission java.io.FilePermission "/private/${java.io.tmpdir}/-", "read";
|
||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.class", "read";
|
||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.DEBUG", "read";
|
||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.VERBOSE", "read";
|
||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.stderr.DEBUG", "read";
|
||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.IGNORED", "read";
|
||||
|
||||
};
|
||||
|
@ -160,8 +160,7 @@ grant codeBase "file:${jetty.home}/work/-" {
|
|||
|
||||
permission java.io.FilePermission "${jetty.home}${/}work${/}-", "read";
|
||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.class", "read";
|
||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.DEBUG", "read";
|
||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.VERBOSE", "read";
|
||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.stderr.DEBUG", "read";
|
||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.IGNORED", "read";
|
||||
|
||||
};
|
||||
|
@ -176,6 +175,9 @@ grant codeBase "file:${jetty.home}/work/-" {
|
|||
grant {
|
||||
// allows anyone to listen on un-privileged ports
|
||||
permission java.net.SocketPermission "localhost:1024-", "listen";
|
||||
permission java.net.SocketPermission "localhost:1024-", "accept";
|
||||
|
||||
permission java.util.PropertyPermission "org.eclipse.jetty.io.nio.JVMBUG_THRESHHOLD", "read, write";
|
||||
|
||||
// "standard" properties that can be read by anyone
|
||||
permission java.util.PropertyPermission "java.version", "read";
|
||||
|
|
|
@ -1,207 +0,0 @@
|
|||
//
|
||||
//
|
||||
// Default security policy for jetty
|
||||
//
|
||||
// Note: this is still a work in progress
|
||||
|
||||
// start.jar
|
||||
grant codeBase "file:${jetty.home}/start.jar" {
|
||||
|
||||
permission java.io.FilePermission "${jetty.home}${/}-", "read";
|
||||
|
||||
permission java.lang.RuntimePermission "createClassLoader";
|
||||
permission java.lang.RuntimePermission "setContextClassLoader";
|
||||
permission java.security.SecurityPermission "getPolicy";
|
||||
permission java.lang.RuntimePermission "accessDeclaredMembers";
|
||||
|
||||
permission java.util.PropertyPermission "jetty.home", "read, write";
|
||||
|
||||
permission java.util.PropertyPermission "user.home", "read";
|
||||
|
||||
permission java.util.PropertyPermission "jetty.class.path", "read, write";
|
||||
permission java.util.PropertyPermission "java.class.path", "read, write";
|
||||
|
||||
permission java.util.PropertyPermission "repository", "read, write";
|
||||
|
||||
permission java.util.PropertyPermission "jetty.lib", "read";
|
||||
permission java.util.PropertyPermission "jetty.server", "read";
|
||||
permission java.util.PropertyPermission "jetty.host", "read";
|
||||
permission java.util.PropertyPermission "jetty.port", "read";
|
||||
permission java.util.PropertyPermission "start.class", "read";
|
||||
|
||||
permission java.util.PropertyPermission "main.class", "read";
|
||||
permission java.util.PropertyPermission "ISO_8859_1", "read";
|
||||
permission javax.security.auth.AuthPermission "modifyPrincipals";
|
||||
|
||||
permission javax.security.auth.AuthPermission "modifyPrivateCredentials";
|
||||
permission javax.security.auth.AuthPermission "setReadOnly";
|
||||
permission java.lang.RuntimePermission "getClassLoader";
|
||||
}
|
||||
|
||||
|
||||
//
|
||||
// jetty system classes
|
||||
//
|
||||
grant codeBase "file:${jetty.home}/lib/-" {
|
||||
|
||||
permission java.lang.RuntimePermission "getClassLoader";
|
||||
|
||||
permission java.util.PropertyPermission "org.eclipse.jetty.webapp.WebAppClassLoader.extensions", "read";
|
||||
permission java.util.PropertyPermission "org.eclipse.http.PathMap.separators", "read";
|
||||
|
||||
permission java.util.PropertyPermission "ROLLOVERFILE_BACKUP_FORMAT", "read";
|
||||
|
||||
permission java.util.PropertyPermission "org.eclipse.jetty.server.webapp.parentLoaderPriority", "read";
|
||||
permission java.util.PropertyPermission "org.eclipse.jetty.server.Request.maxFormContentSize", "read";
|
||||
|
||||
permission javax.security.auth.AuthPermission "modifyPrincipals";
|
||||
permission javax.security.auth.AuthPermission "modifyPrivateCredentials";
|
||||
permission javax.security.auth.AuthPermission "setReadOnly";
|
||||
|
||||
permission java.io.FilePermission "${jetty.home}${/}-", "read";
|
||||
permission java.io.FilePermission "${java.io.tmpdir}", "read, write";
|
||||
permission java.io.FilePermission "${java.io.tmpdir}${/}-", "read, write";
|
||||
permission java.io.FilePermission "${/}private${/}${java.io.tmpdir}", "read, write";
|
||||
permission java.io.FilePermission "${/}private${/}${java.io.tmpdir}${/}-", "read, write";
|
||||
|
||||
permission java.io.FilePermission "${java.io.tmpdir}${/}-", "delete";
|
||||
|
||||
|
||||
permission java.io.FilePermission "${jetty.home}${/}logs", "read, write";
|
||||
permission java.io.FilePermission "${jetty.home}${/}logs${/}*", "read, write";
|
||||
|
||||
permission java.lang.RuntimePermission "createClassLoader";
|
||||
permission java.lang.RuntimePermission "setContextClassLoader";
|
||||
|
||||
permission java.security.SecurityPermission "getPolicy";
|
||||
permission java.lang.RuntimePermission "accessDeclaredMembers";
|
||||
|
||||
// jetty specific properties
|
||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.class", "read";
|
||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.stderr.DEBUG", "read";
|
||||
permission java.util.PropertyPermission "START", "read";
|
||||
permission java.util.PropertyPermission "STOP.PORT", "read";
|
||||
permission java.util.PropertyPermission "STOP.KEY", "read";
|
||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.IGNORED", "read";
|
||||
permission java.util.PropertyPermission "CLASSPATH", "read";
|
||||
permission java.util.PropertyPermission "OPTIONS", "read";
|
||||
permission java.util.PropertyPermission "JETTY_NO_SHUTDOWN_HOOK", "read";
|
||||
permission java.util.PropertyPermission "ISO_8859_1", "read";
|
||||
permission java.util.PropertyPermission "jetty.home", "read, write";
|
||||
|
||||
permission java.util.PropertyPermission "user.home", "read";
|
||||
|
||||
permission java.util.PropertyPermission "jetty.class.path", "read, write";
|
||||
permission java.util.PropertyPermission "java.class.path", "read, write";
|
||||
|
||||
permission java.util.PropertyPermission "jetty.lib", "read";
|
||||
permission java.util.PropertyPermission "jetty.server", "read";
|
||||
permission java.util.PropertyPermission "jetty.host", "read";
|
||||
permission java.util.PropertyPermission "jetty.port", "read";
|
||||
|
||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.stderr.class", "read";
|
||||
|
||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.URI.charset", "read";
|
||||
|
||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.FileResource.checkAliases", "read";
|
||||
|
||||
permission java.util.PropertyPermission "org.eclipse.jetty.xml.XmlParser.Validating", "read";
|
||||
|
||||
permission java.util.PropertyPermission "org.eclipse.jetty.io.nio.JVMBUG_THRESHHOLD", "read, write";
|
||||
|
||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.TypeUtil.IntegerCacheSize", "read, write";
|
||||
|
||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.TypeUtil.LongCacheSize", "read";
|
||||
|
||||
// provides access to webapps
|
||||
permission java.io.FilePermission "${jetty.home}${/}webapps${/}-", "read"; // Ought to go up a specific codebase
|
||||
|
||||
|
||||
// Allows any thread to stop itself using the java.lang.Thread.stop()
|
||||
// method that takes no argument.
|
||||
permission java.lang.RuntimePermission "stopThread";
|
||||
|
||||
// jsp support
|
||||
permission java.net.SocketPermission "java.sun.com:80", "connect,resolve";
|
||||
|
||||
};
|
||||
|
||||
|
||||
// TODO template these, maybe make them setup based on OS or something
|
||||
|
||||
//
|
||||
// the tmp directory is where webapps are unpacked by default so setup their restricted permissions
|
||||
//
|
||||
grant codeBase "file:${java.io.tmpdir}/-" {
|
||||
|
||||
permission java.io.FilePermission "${java.io.tmpdir}${/}-", "read";
|
||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.class", "read";
|
||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.IGNORED", "read";
|
||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.stderr.DEBUG", "read";
|
||||
};
|
||||
|
||||
//
|
||||
// some operating systems have tmp as a symbolic link to /private/tmp
|
||||
//
|
||||
grant codeBase "file:/private${java.io.tmpdir}/-" {
|
||||
|
||||
permission java.io.FilePermission "/private/${java.io.tmpdir}/-", "read";
|
||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.class", "read";
|
||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.stderr.DEBUG", "read";
|
||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.IGNORED", "read";
|
||||
|
||||
};
|
||||
|
||||
//
|
||||
// The work directory can be used for unpacking war files so should have the same default
|
||||
// permissions as the tmp directory
|
||||
//
|
||||
grant codeBase "file:${jetty.home}/work/-" {
|
||||
|
||||
permission java.io.FilePermission "${jetty.home}${/}work${/}-", "read";
|
||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.class", "read";
|
||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.stderr.DEBUG", "read";
|
||||
permission java.util.PropertyPermission "org.eclipse.jetty.util.log.IGNORED", "read";
|
||||
|
||||
};
|
||||
|
||||
|
||||
|
||||
//
|
||||
//
|
||||
// default permissions granted to all domains
|
||||
//
|
||||
//
|
||||
grant {
|
||||
// allows anyone to listen on un-privileged ports
|
||||
permission java.net.SocketPermission "localhost:1024-", "listen";
|
||||
permission java.net.SocketPermission "localhost:1024-", "accept";
|
||||
|
||||
permission java.util.PropertyPermission "org.eclipse.jetty.io.nio.JVMBUG_THRESHHOLD", "read, write";
|
||||
|
||||
// "standard" properties that can be read by anyone
|
||||
permission java.util.PropertyPermission "java.version", "read";
|
||||
permission java.util.PropertyPermission "java.vendor", "read";
|
||||
permission java.util.PropertyPermission "java.vendor.url", "read";
|
||||
permission java.util.PropertyPermission "java.class.version", "read";
|
||||
permission java.util.PropertyPermission "os.name", "read";
|
||||
permission java.util.PropertyPermission "os.version", "read";
|
||||
permission java.util.PropertyPermission "os.arch", "read";
|
||||
permission java.util.PropertyPermission "file.separator", "read";
|
||||
permission java.util.PropertyPermission "path.separator", "read";
|
||||
permission java.util.PropertyPermission "line.separator", "read";
|
||||
permission java.util.PropertyPermission "java.io.tmpdir", "read";
|
||||
|
||||
permission java.util.PropertyPermission "java.specification.version", "read";
|
||||
permission java.util.PropertyPermission "java.specification.vendor", "read";
|
||||
permission java.util.PropertyPermission "java.specification.name", "read";
|
||||
|
||||
permission java.util.PropertyPermission "java.vm.specification.version", "read";
|
||||
permission java.util.PropertyPermission "java.vm.specification.vendor", "read";
|
||||
permission java.util.PropertyPermission "java.vm.specification.name", "read";
|
||||
permission java.util.PropertyPermission "java.vm.version", "read";
|
||||
permission java.util.PropertyPermission "java.vm.vendor", "read";
|
||||
permission java.util.PropertyPermission "java.vm.name", "read";
|
||||
};
|
||||
|
||||
|
|
@ -0,0 +1,12 @@
|
|||
Configuration
|
||||
-------------
|
||||
|
||||
Change etc/jetty-setuid.xml to use the userid you want.
|
||||
|
||||
|
||||
Running
|
||||
-------
|
||||
In the top level jetty directory do:
|
||||
|
||||
sudo java -jar start.jar etc/jetty-setuid.xml etc/jetty.xml
|
||||
|
|
@ -0,0 +1,83 @@
|
|||
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
|
||||
<parent>
|
||||
<groupId>org.eclipse.jetty</groupId>
|
||||
<artifactId>jetty-project</artifactId>
|
||||
<version>7.0.0.RC4-SNAPSHOT</version>
|
||||
</parent>
|
||||
<modelVersion>4.0.0</modelVersion>
|
||||
<artifactId>jetty-setuid</artifactId>
|
||||
<name>Jetty :: SetUID</name>
|
||||
<description>SetUID Support for using reserved ports and dropping privileges on startup</description>
|
||||
<build>
|
||||
<plugins>
|
||||
<plugin>
|
||||
<groupId>org.apache.felix</groupId>
|
||||
<artifactId>maven-bundle-plugin</artifactId>
|
||||
<version>${felix.bundle.version}</version>
|
||||
<extensions>true</extensions>
|
||||
<executions>
|
||||
<execution>
|
||||
<goals>
|
||||
<goal>manifest</goal>
|
||||
</goals>
|
||||
</execution>
|
||||
</executions>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<!--
|
||||
Required for OSGI
|
||||
-->
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-jar-plugin</artifactId>
|
||||
<configuration>
|
||||
<archive>
|
||||
<manifestFile>${project.build.outputDirectory}/META-INF/MANIFEST.MF</manifestFile>
|
||||
</archive>
|
||||
</configuration>
|
||||
</plugin>
|
||||
<plugin>
|
||||
<groupId>org.apache.maven.plugins</groupId>
|
||||
<artifactId>maven-assembly-plugin</artifactId>
|
||||
<executions>
|
||||
<execution>
|
||||
<phase>package</phase>
|
||||
<goals>
|
||||
<goal>single</goal>
|
||||
</goals>
|
||||
<configuration>
|
||||
<descriptors>
|
||||
<descriptor>config.xml</descriptor>
|
||||
</descriptors>
|
||||
</configuration>
|
||||
</execution>
|
||||
</executions>
|
||||
</plugin>
|
||||
</plugins>
|
||||
</build>
|
||||
<dependencies>
|
||||
<dependency>
|
||||
<groupId>org.eclipse.jetty</groupId>
|
||||
<artifactId>jetty-util</artifactId>
|
||||
<version>${project.version}</version>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>net.java.dev.jna</groupId>
|
||||
<artifactId>jna</artifactId>
|
||||
<version>${jna-version}</version>
|
||||
<type>jar</type>
|
||||
<optional>false</optional>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.eclipse.jetty</groupId>
|
||||
<artifactId>jetty-server</artifactId>
|
||||
<version>${project.version}</version>
|
||||
</dependency>
|
||||
</dependencies>
|
||||
<repositories>
|
||||
<repository>
|
||||
<id>java-net-repo</id>
|
||||
<name>Java.net Repository</name>
|
||||
<url>http://download.java.net/maven/2</url>
|
||||
</repository>
|
||||
</repositories>
|
||||
</project>
|
|
@ -0,0 +1,16 @@
|
|||
<?xml version="1.0"?>
|
||||
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure.dtd">
|
||||
|
||||
<!-- =============================================================== -->
|
||||
<!-- Configure the Jetty SetUIDServer -->
|
||||
<!-- this configuration file should be used in combination with -->
|
||||
<!-- other configuration files. e.g. -->
|
||||
<!-- java -jar start.jar etc/jetty-setuid.xml etc/jetty.xml -->
|
||||
<!-- =============================================================== -->
|
||||
<Configure id="Server" class="org.eclipse.jetty.setuid.SetUIDServer">
|
||||
<Set name="startServerAsPrivileged">false</Set>
|
||||
<Set name="umask">2</Set>
|
||||
<Set name="uid">2001</Set>
|
||||
<Set name="gid">2001</Set>
|
||||
</Configure>
|
||||
|
|
@ -0,0 +1,48 @@
|
|||
package org.eclipse.jetty.setuid;
|
||||
|
||||
import com.sun.jna.Library;
|
||||
import com.sun.jna.Native;
|
||||
import com.sun.jna.Platform;
|
||||
|
||||
public class SetUID {
|
||||
public static final int OK = 0;
|
||||
public static final int ERROR = -1;
|
||||
|
||||
public interface CLibrary extends Library {
|
||||
CLibrary INSTANCE = (CLibrary) Native.loadLibrary((Platform.isWindows() ? "msvcrt" : "c"), CLibrary.class);
|
||||
|
||||
int umask(int umask);
|
||||
|
||||
int setuid(int uid);
|
||||
|
||||
int setgid(int gid);
|
||||
|
||||
int getuid();
|
||||
|
||||
int geteuid();
|
||||
}
|
||||
|
||||
public static int setumask(int umask) {
|
||||
if (Platform.isWindows())
|
||||
return OK;
|
||||
return CLibrary.INSTANCE.umask(umask);
|
||||
}
|
||||
|
||||
public static int setuid(int uid) {
|
||||
if (Platform.isWindows())
|
||||
return OK;
|
||||
return CLibrary.INSTANCE.setuid(uid);
|
||||
}
|
||||
|
||||
public static int setgid(int gid) {
|
||||
if (Platform.isWindows())
|
||||
return OK;
|
||||
return CLibrary.INSTANCE.setgid(gid);
|
||||
}
|
||||
|
||||
public static int getuid() {
|
||||
if (Platform.isWindows())
|
||||
return -1;
|
||||
return CLibrary.INSTANCE.getuid();
|
||||
}
|
||||
}
|
|
@ -0,0 +1,108 @@
|
|||
package org.eclipse.jetty.setuid;
|
||||
|
||||
import org.eclipse.jetty.server.Connector;
|
||||
import org.eclipse.jetty.server.Server;
|
||||
import org.eclipse.jetty.util.log.Log;
|
||||
|
||||
/**
|
||||
* This extension of {@link Server} will make a JNA call to set the unix UID.
|
||||
*
|
||||
* This can be used to start the server as root so that privileged ports may be accessed and then switch to a non-root
|
||||
* user for security. Depending on the value of {@link #setStartServerAsPrivileged(boolean)}, either the server will be
|
||||
* started and then the UID set; or the {@link Server#getConnectors()} will be opened with a call to
|
||||
* {@link Connector#open()}, the UID set and then the server is started. The later is the default and avoids any
|
||||
* webapplication code being run as a privileged user, but will not work if the application code also needs to open
|
||||
* privileged ports.
|
||||
*
|
||||
*<p>
|
||||
* The configured umask is set before the server is started and the configured uid is set after the server is started.
|
||||
* </p>
|
||||
*
|
||||
* @author gregw
|
||||
* @author q
|
||||
*
|
||||
*/
|
||||
public class SetUIDServer extends Server {
|
||||
int _uid = 0;
|
||||
int _gid = 0;
|
||||
int _umask = 0;
|
||||
boolean _startServerAsPrivileged;
|
||||
|
||||
public int getUmask() {
|
||||
return _umask;
|
||||
}
|
||||
|
||||
public void setUmask(int umask) {
|
||||
_umask = umask;
|
||||
}
|
||||
|
||||
public int getUid() {
|
||||
return _uid;
|
||||
}
|
||||
|
||||
public void setUid(int uid) {
|
||||
_uid = uid;
|
||||
}
|
||||
|
||||
public void setGid(int gid) {
|
||||
_gid = gid;
|
||||
}
|
||||
|
||||
public int getGid() {
|
||||
return _gid;
|
||||
}
|
||||
|
||||
protected void doStart() throws Exception {
|
||||
if (_umask != 0) {
|
||||
Log.info("Setting umask=0" + Integer.toString(_umask, 8));
|
||||
SetUID.setumask(_umask);
|
||||
}
|
||||
|
||||
if (_startServerAsPrivileged) {
|
||||
super.doStart();
|
||||
dropPrivs();
|
||||
} else {
|
||||
Connector[] connectors = getConnectors();
|
||||
for (int i = 0; connectors != null && i < connectors.length; i++)
|
||||
connectors[i].open();
|
||||
dropPrivs();
|
||||
super.doStart();
|
||||
}
|
||||
}
|
||||
|
||||
private void dropPrivs() {
|
||||
int uid = SetUID.getuid();
|
||||
if (uid != 0) {
|
||||
Log.warn("Expected to be running UID = 0, but got UID = " + uid);
|
||||
return;
|
||||
}
|
||||
if (_gid != 0) {
|
||||
Log.info("Setting GID=" + _gid);
|
||||
SetUID.setgid(_gid);
|
||||
}
|
||||
if (_uid != 0) {
|
||||
Log.info("Setting UID=" + _uid);
|
||||
SetUID.setuid(_uid);
|
||||
}
|
||||
}
|
||||
|
||||
/* ------------------------------------------------------------ */
|
||||
/**
|
||||
* @return the startServerAsPrivileged
|
||||
*/
|
||||
public boolean isStartServerAsPrivileged() {
|
||||
return _startServerAsPrivileged;
|
||||
}
|
||||
|
||||
/* ------------------------------------------------------------ */
|
||||
/**
|
||||
* @see {@link Connector#open()}
|
||||
* @param startServerAsPrivileged
|
||||
* if true, the server is started and then the process UID is switched. If false, the connectors are opened,
|
||||
* the UID is switched and then the server is started.
|
||||
*/
|
||||
public void setStartServerAsPrivileged(boolean startContextsAsPrivileged) {
|
||||
_startServerAsPrivileged = startContextsAsPrivileged;
|
||||
}
|
||||
|
||||
}
|
|
@ -131,9 +131,13 @@ $(jetty.home)/lib/jndi/**
|
|||
$(jetty.home)/lib/jetty-annotations-$(version).jar ! available org.eclipse.jetty.annotations.AnnotationFinder
|
||||
$(jetty.home)/lib/annotations/** exists $(jetty.home)/lib/jndi
|
||||
|
||||
[All,setuid]
|
||||
$(jetty.home)/lib/jetty-setuid-$(version).jar ! available org.eclipse.jetty.setuid.SetUID
|
||||
$(jetty.home)/lib/setuid/**
|
||||
|
||||
[All,policy]
|
||||
$(jetty.home)/lib/jetty-policy-$(version).jar ! available org.eclipse.jetty.policy.JettyPolicy
|
||||
$(jetty.home)/lib/security/jetty.policy
|
||||
$(jetty.home)/lib/policy/**
|
||||
|
||||
[All,client]
|
||||
$(jetty.home)/lib/jetty-http-$(version).jar ! available org.eclipse.jetty.http.HttpParser
|
||||
|
|
7
pom.xml
7
pom.xml
|
@ -23,6 +23,7 @@
|
|||
<slf4j-version>1.5.6</slf4j-version>
|
||||
<eclipse-compiler-version>3.1.1</eclipse-compiler-version>
|
||||
<cometd-version>1.0.beta4</cometd-version>
|
||||
<jna-version>3.2.2</jna-version>
|
||||
<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
|
||||
</properties>
|
||||
<scm>
|
||||
|
@ -142,6 +143,7 @@
|
|||
<module>jetty-rewrite</module>
|
||||
<module>jetty-policy</module>
|
||||
<module>jetty-start</module>
|
||||
<module>jetty-setuid</module>
|
||||
<module>test-continuation</module>
|
||||
<module>test-continuation-jetty6</module>
|
||||
<module>test-jetty-servlet</module>
|
||||
|
@ -203,6 +205,11 @@
|
|||
<artifactId>activation</artifactId>
|
||||
<version>${activation-version}</version>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>net.java.dev.jna</groupId>
|
||||
<artifactId>jna</artifactId>
|
||||
<version>${jna-version}</version>
|
||||
</dependency>
|
||||
</dependencies>
|
||||
</dependencyManagement>
|
||||
<!--
|
||||
|
|
Loading…
Reference in New Issue