From d8c28044dad325269a9e6d1d42707fa1c2114501 Mon Sep 17 00:00:00 2001 From: Jason Tedor Date: Mon, 27 Nov 2017 16:05:27 -0500 Subject: [PATCH] Forbid granting the all permission in production Running with the all permission java.security.AllPermission granted is equivalent to disabling the security manager. This commit adds a bootstrap check that forbids running with this permission granted. Relates #27548 --- .../bootstrap/BootstrapChecks.java | 25 +++++++++++++++++++ .../bootstrap/BootstrapChecksTests.java | 21 +++++++++++++++- .../reference/setup/bootstrap-checks.asciidoc | 6 +++++ 3 files changed, 51 insertions(+), 1 deletion(-) diff --git a/core/src/main/java/org/elasticsearch/bootstrap/BootstrapChecks.java b/core/src/main/java/org/elasticsearch/bootstrap/BootstrapChecks.java index 54f1528e463..c2e5d2ef11a 100644 --- a/core/src/main/java/org/elasticsearch/bootstrap/BootstrapChecks.java +++ b/core/src/main/java/org/elasticsearch/bootstrap/BootstrapChecks.java @@ -38,6 +38,7 @@ import java.io.BufferedReader; import java.io.IOException; import java.nio.file.Files; import java.nio.file.Path; +import java.security.AllPermission; import java.util.ArrayList; import java.util.Arrays; import java.util.Collections; @@ -210,6 +211,7 @@ final class BootstrapChecks { checks.add(new OnOutOfMemoryErrorCheck()); checks.add(new EarlyAccessCheck()); checks.add(new G1GCCheck()); + checks.add(new AllPermissionCheck()); return Collections.unmodifiableList(checks); } @@ -692,4 +694,27 @@ final class BootstrapChecks { } + static class AllPermissionCheck implements BootstrapCheck { + + @Override + public final BootstrapCheckResult check(BootstrapContext context) { + if (isAllPermissionGranted()) { + return BootstrapCheck.BootstrapCheckResult.failure("granting the all permission effectively disables security"); + } + return BootstrapCheckResult.success(); + } + + boolean isAllPermissionGranted() { + final SecurityManager sm = System.getSecurityManager(); + assert sm != null; + try { + sm.checkPermission(new AllPermission()); + } catch (final SecurityException e) { + return false; + } + return true; + } + + } + } diff --git a/core/src/test/java/org/elasticsearch/bootstrap/BootstrapChecksTests.java b/core/src/test/java/org/elasticsearch/bootstrap/BootstrapChecksTests.java index a70d96a302c..8598c576c23 100644 --- a/core/src/test/java/org/elasticsearch/bootstrap/BootstrapChecksTests.java +++ b/core/src/test/java/org/elasticsearch/bootstrap/BootstrapChecksTests.java @@ -45,7 +45,6 @@ import static org.hamcrest.CoreMatchers.containsString; import static org.hamcrest.CoreMatchers.equalTo; import static org.hamcrest.CoreMatchers.instanceOf; import static org.hamcrest.Matchers.hasToString; -import static org.mockito.Matchers.eq; import static org.mockito.Mockito.mock; import static org.mockito.Mockito.verify; import static org.mockito.Mockito.verifyNoMoreInteractions; @@ -690,6 +689,26 @@ public class BootstrapChecksTests extends ESTestCase { BootstrapChecks.check(defaultContext, true, Collections.singletonList(nonJava8Check), "testG1GCCheck"); } + public void testAllPermissionCheck() throws NodeValidationException { + final AtomicBoolean isAllPermissionGranted = new AtomicBoolean(true); + final BootstrapChecks.AllPermissionCheck allPermissionCheck = new BootstrapChecks.AllPermissionCheck() { + @Override + boolean isAllPermissionGranted() { + return isAllPermissionGranted.get(); + } + }; + + final List checks = Collections.singletonList(allPermissionCheck); + final NodeValidationException e = expectThrows( + NodeValidationException.class, + () -> BootstrapChecks.check(defaultContext, true, checks, "testIsAllPermissionCheck")); + assertThat(e, hasToString(containsString("granting the all permission effectively disables security"))); + + // if all permissions are not granted, nothing should happen + isAllPermissionGranted.set(false); + BootstrapChecks.check(defaultContext, true, checks, "testIsAllPermissionCheck"); + } + public void testAlwaysEnforcedChecks() { final BootstrapCheck check = new BootstrapCheck() { @Override diff --git a/docs/reference/setup/bootstrap-checks.asciidoc b/docs/reference/setup/bootstrap-checks.asciidoc index 3fd5b6053fa..58e9867519d 100644 --- a/docs/reference/setup/bootstrap-checks.asciidoc +++ b/docs/reference/setup/bootstrap-checks.asciidoc @@ -227,3 +227,9 @@ have issues that can lead to index corruption when the G1GC collector is enabled. The versions impacted are those earlier than the version of HotSpot that shipped with JDK 8u40. The G1GC check detects these early versions of the HotSpot JVM. + +=== All permission check + +The all permission check ensures that the security policy used during bootstrap +does not grant the `java.security.AllPermission` to Elasticsearch. Running with +the all permission granted is equivalent to disabling the security manager.