Remove Environment.homeFile()

Today we grant read+write+delete access to any files underneath the home.
But we have to remove this, if we want to have improved security of files
underneath elasticsearch.
This commit is contained in:
Robert Muir 2015-07-20 20:27:36 -04:00
parent 4e2bdb67b7
commit 052cf1446f
6 changed files with 29 additions and 21 deletions

View File

@ -117,11 +117,11 @@ final class Security {
/** returns dynamic Permissions to configured paths */ /** returns dynamic Permissions to configured paths */
static Permissions createPermissions(Environment environment) throws IOException { static Permissions createPermissions(Environment environment) throws IOException {
// TODO: improve test infra so we can reduce permissions where read/write
// is not really needed...
Permissions policy = new Permissions(); Permissions policy = new Permissions();
// read-only dirs
addPath(policy, environment.binFile(), "read,readlink");
addPath(policy, environment.libFile(), "read,readlink");
addPath(policy, environment.tmpFile(), "read,readlink,write,delete"); addPath(policy, environment.tmpFile(), "read,readlink,write,delete");
addPath(policy, environment.homeFile(), "read,readlink,write,delete");
addPath(policy, environment.configFile(), "read,readlink,write,delete"); addPath(policy, environment.configFile(), "read,readlink,write,delete");
addPath(policy, environment.logsFile(), "read,readlink,write,delete"); addPath(policy, environment.logsFile(), "read,readlink,write,delete");
addPath(policy, environment.pluginsFile(), "read,readlink,write,delete"); addPath(policy, environment.pluginsFile(), "read,readlink,write,delete");

View File

@ -45,8 +45,6 @@ public class Environment {
private final Settings settings; private final Settings settings;
private final Path homeFile;
private final Path[] dataFiles; private final Path[] dataFiles;
private final Path[] dataWithClusterFiles; private final Path[] dataWithClusterFiles;
@ -57,6 +55,12 @@ public class Environment {
private final Path pluginsFile; private final Path pluginsFile;
/** location of bin/, used by plugin manager */
private final Path binFile;
/** location of lib/, */
private final Path libFile;
private final Path logsFile; private final Path logsFile;
/** Path to the PID file (can be null if no PID file is configured) **/ /** Path to the PID file (can be null if no PID file is configured) **/
@ -83,6 +87,7 @@ public class Environment {
public Environment(Settings settings) { public Environment(Settings settings) {
this.settings = settings; this.settings = settings;
final Path homeFile;
if (settings.get("path.home") != null) { if (settings.get("path.home") != null) {
homeFile = PathUtils.get(cleanPath(settings.get("path.home"))); homeFile = PathUtils.get(cleanPath(settings.get("path.home")));
} else { } else {
@ -133,6 +138,9 @@ public class Environment {
} else { } else {
pidFile = null; pidFile = null;
} }
binFile = homeFile.resolve("bin");
libFile = homeFile.resolve("lib");
} }
/** /**
@ -142,13 +150,6 @@ public class Environment {
return this.settings; return this.settings;
} }
/**
* The home of the installation.
*/
public Path homeFile() {
return homeFile;
}
/** /**
* The data location. * The data location.
*/ */
@ -236,6 +237,14 @@ public class Environment {
return pluginsFile; return pluginsFile;
} }
public Path binFile() {
return binFile;
}
public Path libFile() {
return libFile;
}
public Path logsFile() { public Path logsFile() {
return logsFile; return logsFile;
} }

View File

@ -140,8 +140,8 @@ public class Node implements Releasable {
if (logger.isDebugEnabled()) { if (logger.isDebugEnabled()) {
Environment env = tuple.v2(); Environment env = tuple.v2();
logger.debug("using home [{}], config [{}], data [{}], logs [{}], plugins [{}]", logger.debug("using config [{}], data [{}], logs [{}], plugins [{}]",
env.homeFile(), env.configFile(), Arrays.toString(env.dataFiles()), env.logsFile(), env.pluginsFile()); env.configFile(), Arrays.toString(env.dataFiles()), env.logsFile(), env.pluginsFile());
} }
this.pluginsService = new PluginsService(tuple.v1(), tuple.v2()); this.pluginsService = new PluginsService(tuple.v1(), tuple.v2());

View File

@ -733,7 +733,7 @@ public class PluginManager {
} }
Path binDir(Environment env) { Path binDir(Environment env) {
return env.homeFile().resolve("bin").resolve(name); return env.binFile().resolve(name);
} }
Path configDir(Environment env) { Path configDir(Environment env) {

View File

@ -53,7 +53,7 @@ public class SecurityTests extends ElasticsearchTestCase {
} }
// the fake es home // the fake es home
assertTrue(permissions.implies(new FilePermission(esHome.toString(), "read"))); assertFalse(permissions.implies(new FilePermission(esHome.toString(), "read")));
// its parent // its parent
assertFalse(permissions.implies(new FilePermission(path.toString(), "read"))); assertFalse(permissions.implies(new FilePermission(path.toString(), "read")));
// some other sibling // some other sibling
@ -88,9 +88,8 @@ public class SecurityTests extends ElasticsearchTestCase {
} }
// check that all directories got permissions: // check that all directories got permissions:
// homefile: this is needed unless we break out rules for "lib" dir. assertTrue(permissions.implies(new FilePermission(environment.binFile().toString(), "read")));
// TODO: make read-only assertTrue(permissions.implies(new FilePermission(environment.libFile().toString(), "read")));
assertTrue(permissions.implies(new FilePermission(environment.homeFile().toString(), "read,readlink,write,delete")));
// config file // config file
// TODO: make read-only // TODO: make read-only
assertTrue(permissions.implies(new FilePermission(environment.configFile().toString(), "read,readlink,write,delete"))); assertTrue(permissions.implies(new FilePermission(environment.configFile().toString(), "read,readlink,write,delete")));

View File

@ -85,7 +85,7 @@ public class PluginManagerTests extends ElasticsearchIntegrationTest {
String pluginName = "plugin-test"; String pluginName = "plugin-test";
Tuple<Settings, Environment> initialSettings = buildInitialSettings(); Tuple<Settings, Environment> initialSettings = buildInitialSettings();
Environment env = initialSettings.v2(); Environment env = initialSettings.v2();
Path binDir = env.homeFile().resolve("bin"); Path binDir = env.binFile();
if (!Files.exists(binDir)) { if (!Files.exists(binDir)) {
Files.createDirectories(binDir); Files.createDirectories(binDir);
} }
@ -212,7 +212,7 @@ public class PluginManagerTests extends ElasticsearchIntegrationTest {
String pluginName = "plugin-test"; String pluginName = "plugin-test";
Tuple<Settings, Environment> initialSettings = buildInitialSettings(); Tuple<Settings, Environment> initialSettings = buildInitialSettings();
Environment env = initialSettings.v2(); Environment env = initialSettings.v2();
Path binDir = env.homeFile().resolve("bin"); Path binDir = env.binFile();
if (!Files.exists(binDir)) { if (!Files.exists(binDir)) {
Files.createDirectories(binDir); Files.createDirectories(binDir);
} }