From 0865d220f4d55d9dca858710d2f8240b0c87e7d2 Mon Sep 17 00:00:00 2001 From: Robert Muir Date: Thu, 23 Apr 2015 15:04:58 -0400 Subject: [PATCH] Remove crazy permissions for filestores, ssds, now that this logic has been refactored. Log a warning when security is disabled. --- .../elasticsearch/bootstrap/Bootstrap.java | 2 +- .../org/elasticsearch/bootstrap/Security.java | 35 ++----------------- 2 files changed, 4 insertions(+), 33 deletions(-) diff --git a/src/main/java/org/elasticsearch/bootstrap/Bootstrap.java b/src/main/java/org/elasticsearch/bootstrap/Bootstrap.java index 72c13efa0f4..f69a9c35409 100644 --- a/src/main/java/org/elasticsearch/bootstrap/Bootstrap.java +++ b/src/main/java/org/elasticsearch/bootstrap/Bootstrap.java @@ -98,7 +98,7 @@ public class Bootstrap { Security.configure(environment); logger.info("security enabled"); } else { - logger.info("security disabled"); + logger.warn("security disabled"); } } diff --git a/src/main/java/org/elasticsearch/bootstrap/Security.java b/src/main/java/org/elasticsearch/bootstrap/Security.java index 35de7edbe9f..287cfa060e1 100644 --- a/src/main/java/org/elasticsearch/bootstrap/Security.java +++ b/src/main/java/org/elasticsearch/bootstrap/Security.java @@ -19,11 +19,9 @@ package org.elasticsearch.bootstrap; -import org.apache.lucene.util.Constants; -import org.elasticsearch.common.io.PathUtils; +import org.apache.lucene.util.StringHelper; import org.elasticsearch.common.logging.Loggers; import org.elasticsearch.env.Environment; -import org.elasticsearch.env.NodeEnvironment; import java.io.BufferedOutputStream; import java.io.ByteArrayOutputStream; @@ -32,7 +30,6 @@ import java.io.OutputStream; import java.io.OutputStreamWriter; import java.io.Writer; import java.nio.charset.StandardCharsets; -import java.nio.file.FileStore; import java.nio.file.Files; import java.nio.file.Path; import java.util.HashSet; @@ -51,6 +48,8 @@ class Security { * Can only happen once! */ static void configure(Environment environment) throws IOException { + // init lucene random seed. it will use /dev/urandom where available. + StringHelper.randomId(); Path newConfig = processTemplate(environment.configFile().resolve("security.policy"), environment); System.setProperty("java.security.policy", newConfig.toString()); System.setSecurityManager(new SecurityManager()); @@ -102,34 +101,6 @@ class Security { addPath(writer, encode(path), "read,readlink,write,delete"); addRecursivePath(writer, encode(path), "read,readlink,write,delete"); } - - // on *nix, try to grant read perms to file stores / SSD detection - if (!Constants.WINDOWS) { - Set stores = new HashSet<>(); - for (FileStore store : PathUtils.getDefaultFileSystem().getFileStores()) { - try { - String mount = NodeEnvironment.getMountPoint(store); - // mount point for fstat() calls against it - if (mount.startsWith("/")) { - stores.add(mount); - } - // block device: add it for SSD detection - if (store.name().startsWith("/")) { - stores.add(store.name()); - } - } catch (Throwable t) { - // these are hacks that are not guaranteed - } - } - for (String store : stores) { - addPath(writer, encode(store), "read,readlink"); - } - addRecursivePath(writer, "/sys/block", "read,readlink"); - addRecursivePath(writer, "/sys/devices", "read,readlink"); - addRecursivePath(writer, "/dev", "read,readlink"); - addRecursivePath(writer, "/devices", "read,readlink"); - } - writer.write("};"); writer.write(System.lineSeparator()); }