sis-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Martin Desruisseaux (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (SIS-320) Enable SIS to run is security-constrained environments
Date Fri, 11 Mar 2016 11:50:50 GMT

    [ https://issues.apache.org/jira/browse/SIS-320?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15190833#comment-15190833
] 

Martin Desruisseaux commented on SIS-320:
-----------------------------------------

The above {{security.policy}} file allows the application to run, but there is probably more
places missing a call to {{AccessController.doPrivileged(...)}}. Current state is conservative
(we use privileged block for stuff like getting environment variable values). The main risk
is in the code registering a shutdown hook, since that hook executes codes registered by other
parts of the SIS library. A malicious code could use this SIS mechanism for registering its
own code. This security hole should be fixed when we will use Jigsaw since that hook is in
a SIS internal package.

We removed the use of {{doPrivileged}} for {{ServiceLoader}} since the loader could create
non-SIS classes if they are declared in {{META-INF/services/foo}}. We will revisit with Jigsaw.
If desired, the use of {{doPrivileged}} can be re-enabled by applying this diff:

{code}
svn diff -r1734539:1734538 core/sis-utility/src/main/java/org/apache/sis/internal/system/DefaultFactories.java
{code}

> Enable SIS to run is security-constrained environments
> ------------------------------------------------------
>
>                 Key: SIS-320
>                 URL: https://issues.apache.org/jira/browse/SIS-320
>             Project: Spatial Information Systems
>          Issue Type: Improvement
>          Components: Metadata, Referencing, Storage, Utilities
>    Affects Versions: 0.3, 0.4, 0.5, 0.6
>            Reporter: Martin Desruisseaux
>            Assignee: Martin Desruisseaux
>             Fix For: 0.7
>
>
> Wraps some code necessary to SIS working in {{AccessController.doPrivileged(...)}} blocks.
Examples:
> {code:java}
> String dir = AccessController.doPrivileged((PrivilegedAction<String>) () ->
{
>     return System.getenv("SIS_DATA");
> });
> {code}
> We should not wrap all security-sensitive request for information, but only those that
are needed for SIS working. Examples:
> * Environment variable value for {{SIS_DATA}}.
> * Property value for {{"java.naming.factory.initial"}}, {{"derby.system.home"}}.
> * Call to {{Field.setAccessible(true)}} in {{clone()}} methods for setting final fields.
> Information for which we do *not* request privileged actions at this time:
> * MBean registration.
> * Property value for {{"java.home"}}.
> * Call to {{Field.setAccessible(true)}} on deserialization for setting final transient
fields.
> Initial patch for SIS has been submitted by Guilhem L├ęgal.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message