Merge pull request elastic/elasticsearch#1001 from rmuir/lock_down_system_property_writes
Ban write access to system properties Original commit: elastic/x-pack-elasticsearch@919cf17b14
This commit is contained in:
commit
82d9247efe
|
@ -5,6 +5,7 @@
|
||||||
*/
|
*/
|
||||||
package org.elasticsearch.shield;
|
package org.elasticsearch.shield;
|
||||||
|
|
||||||
|
import org.elasticsearch.SpecialPermission;
|
||||||
import org.elasticsearch.action.ActionModule;
|
import org.elasticsearch.action.ActionModule;
|
||||||
import org.elasticsearch.client.Client;
|
import org.elasticsearch.client.Client;
|
||||||
import org.elasticsearch.client.support.Headers;
|
import org.elasticsearch.client.support.Headers;
|
||||||
|
@ -53,6 +54,8 @@ import org.elasticsearch.transport.TransportModule;
|
||||||
import java.io.Closeable;
|
import java.io.Closeable;
|
||||||
import java.nio.file.Path;
|
import java.nio.file.Path;
|
||||||
import java.util.*;
|
import java.util.*;
|
||||||
|
import java.security.AccessController;
|
||||||
|
import java.security.PrivilegedAction;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
*
|
*
|
||||||
|
@ -71,6 +74,35 @@ public class ShieldPlugin extends Plugin {
|
||||||
private final boolean clientMode;
|
private final boolean clientMode;
|
||||||
private ShieldLicenseState shieldLicenseState;
|
private ShieldLicenseState shieldLicenseState;
|
||||||
|
|
||||||
|
// TODO: clean up this library to not ask for write access to all system properties!
|
||||||
|
static {
|
||||||
|
// invoke this clinit in unbound with permissions to access all system properties
|
||||||
|
SecurityManager sm = System.getSecurityManager();
|
||||||
|
if (sm != null) {
|
||||||
|
sm.checkPermission(new SpecialPermission());
|
||||||
|
}
|
||||||
|
try {
|
||||||
|
AccessController.doPrivileged(new PrivilegedAction<Void>() {
|
||||||
|
@Override
|
||||||
|
public Void run() {
|
||||||
|
try {
|
||||||
|
Class.forName("com.unboundid.util.Debug");
|
||||||
|
} catch (ClassNotFoundException e) {
|
||||||
|
throw new RuntimeException(e);
|
||||||
|
}
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
});
|
||||||
|
// TODO: fix gradle to add all shield resources (plugin metadata) to test classpath
|
||||||
|
// of watcher plugin, which depends on it directly. This prevents these plugins
|
||||||
|
// from being initialized correctly by the test framework, and means we have to
|
||||||
|
// have this leniency.
|
||||||
|
} catch (ExceptionInInitializerError bogus) {
|
||||||
|
if (bogus.getCause() instanceof SecurityException == false) {
|
||||||
|
throw bogus; // some other bug
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
public ShieldPlugin(Settings settings) {
|
public ShieldPlugin(Settings settings) {
|
||||||
this.settings = settings;
|
this.settings = settings;
|
||||||
|
|
|
@ -0,0 +1,4 @@
|
||||||
|
grant {
|
||||||
|
// needed because of problems in unbound LDAP library
|
||||||
|
permission java.util.PropertyPermission "*", "read,write";
|
||||||
|
};
|
|
@ -7,6 +7,7 @@ package org.elasticsearch.watcher;
|
||||||
|
|
||||||
import org.elasticsearch.Version;
|
import org.elasticsearch.Version;
|
||||||
import org.elasticsearch.common.settings.Settings;
|
import org.elasticsearch.common.settings.Settings;
|
||||||
|
import org.elasticsearch.common.SuppressForbidden;
|
||||||
import org.elasticsearch.license.plugin.LicensePlugin;
|
import org.elasticsearch.license.plugin.LicensePlugin;
|
||||||
import org.elasticsearch.node.MockNode;
|
import org.elasticsearch.node.MockNode;
|
||||||
import org.elasticsearch.node.Node;
|
import org.elasticsearch.node.Node;
|
||||||
|
@ -23,6 +24,7 @@ import java.util.concurrent.CountDownLatch;
|
||||||
*/
|
*/
|
||||||
public class WatcherF {
|
public class WatcherF {
|
||||||
|
|
||||||
|
@SuppressForbidden(reason = "not really code or a test")
|
||||||
public static void main(String[] args) throws Throwable {
|
public static void main(String[] args) throws Throwable {
|
||||||
Settings.Builder settings = Settings.builder();
|
Settings.Builder settings = Settings.builder();
|
||||||
settings.put("http.cors.enabled", "true");
|
settings.put("http.cors.enabled", "true");
|
||||||
|
|
|
@ -13,6 +13,7 @@ import org.elasticsearch.action.search.SearchRequest;
|
||||||
import org.elasticsearch.action.search.SearchResponse;
|
import org.elasticsearch.action.search.SearchResponse;
|
||||||
import org.elasticsearch.client.Client;
|
import org.elasticsearch.client.Client;
|
||||||
import org.elasticsearch.common.Strings;
|
import org.elasticsearch.common.Strings;
|
||||||
|
import org.elasticsearch.common.SuppressForbidden;
|
||||||
import org.elasticsearch.common.metrics.MeanMetric;
|
import org.elasticsearch.common.metrics.MeanMetric;
|
||||||
import org.elasticsearch.common.settings.Settings;
|
import org.elasticsearch.common.settings.Settings;
|
||||||
import org.elasticsearch.common.unit.ByteSizeValue;
|
import org.elasticsearch.common.unit.ByteSizeValue;
|
||||||
|
@ -63,6 +64,7 @@ public class WatcherScheduleEngineBenchmark {
|
||||||
.put("http.cors.enabled", true)
|
.put("http.cors.enabled", true)
|
||||||
.build();
|
.build();
|
||||||
|
|
||||||
|
@SuppressForbidden(reason = "not really code or a test")
|
||||||
public static void main(String[] args) throws Exception {
|
public static void main(String[] args) throws Exception {
|
||||||
System.setProperty("es.logger.prefix", "");
|
System.setProperty("es.logger.prefix", "");
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue