From commits-return-111514-archive-asf-public=cust-asf.ponee.io@lucene.apache.org  Mon Dec  2 10:59:08 2019
Return-Path: <commits-return-111514-archive-asf-public=cust-asf.ponee.io@lucene.apache.org>
X-Original-To: archive-asf-public@cust-asf.ponee.io
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [207.244.88.153])
	by mx-eu-01.ponee.io (Postfix) with SMTP id BE73E18064E
	for <archive-asf-public@cust-asf.ponee.io>; Mon,  2 Dec 2019 11:59:07 +0100 (CET)
Received: (qmail 34244 invoked by uid 500); 2 Dec 2019 10:59:07 -0000
Mailing-List: contact commits-help@lucene.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:commits-help@lucene.apache.org>
List-Unsubscribe: <mailto:commits-unsubscribe@lucene.apache.org>
List-Post: <mailto:commits@lucene.apache.org>
List-Id: <commits.lucene.apache.org>
Reply-To: dev@lucene.apache.org
Delivered-To: mailing list commits@lucene.apache.org
Received: (qmail 34235 invoked by uid 99); 2 Dec 2019 10:59:07 -0000
Received: from ec2-52-202-80-70.compute-1.amazonaws.com (HELO gitbox.apache.org) (52.202.80.70)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 02 Dec 2019 10:59:07 +0000
Received: by gitbox.apache.org (ASF Mail Server at gitbox.apache.org, from userid 33)
	id D37828B690; Mon,  2 Dec 2019 10:59:06 +0000 (UTC)
Date: Mon, 02 Dec 2019 10:59:06 +0000
To: "commits@lucene.apache.org" <commits@lucene.apache.org>
Subject: [lucene-solr] branch branch_8x updated: SOLR-13986: remove execute
 permission from solr-tests.policy
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Message-ID: <157528434658.16114.4935542319586723540@gitbox.apache.org>
From: rmuir@apache.org
X-Git-Host: gitbox.apache.org
X-Git-Repo: lucene-solr
X-Git-Refname: refs/heads/branch_8x
X-Git-Reftype: branch
X-Git-Oldrev: ba95111d71cc4d24b5ab4e8c022a3cbde42fd283
X-Git-Newrev: 3de517b2869d0d7664dbe1b55f6f803091c92bff
X-Git-Rev: 3de517b2869d0d7664dbe1b55f6f803091c92bff
X-Git-NotificationType: ref_changed_plus_diff
X-Git-Multimail-Version: 1.5.dev
Auto-Submitted: auto-generated

This is an automated email from the ASF dual-hosted git repository.

rmuir pushed a commit to branch branch_8x
in repository https://gitbox.apache.org/repos/asf/lucene-solr.git


The following commit(s) were added to refs/heads/branch_8x by this push:
     new 3de517b  SOLR-13986: remove execute permission from solr-tests.policy
3de517b is described below

commit 3de517b2869d0d7664dbe1b55f6f803091c92bff
Author: Robert Muir <rmuir@apache.org>
AuthorDate: Mon Dec 2 05:36:29 2019 -0500

    SOLR-13986: remove execute permission from solr-tests.policy
---
 .../apache/lucene/util/TestSecurityManager.java    | 63 ++++++++++++++++++++++
 lucene/tools/junit4/solr-tests.policy              | 12 ++---
 2 files changed, 69 insertions(+), 6 deletions(-)

diff --git a/lucene/test-framework/src/java/org/apache/lucene/util/TestSecurityManager.java b/lucene/test-framework/src/java/org/apache/lucene/util/TestSecurityManager.java
index 99c6270..70539cd 100644
--- a/lucene/test-framework/src/java/org/apache/lucene/util/TestSecurityManager.java
+++ b/lucene/test-framework/src/java/org/apache/lucene/util/TestSecurityManager.java
@@ -41,6 +41,69 @@ public final class TestSecurityManager extends SecurityManager {
     super();
   }
 
+  // TODO: move this stuff into a Solr (non-test) SecurityManager!
+  /**
+   * {@inheritDoc}
+   * <p>This method implements hacks to workaround hadoop's garbage Shell and FileUtil code
+   */
+  @Override
+  public void checkExec(String cmd) {
+    // NOTE: it would be tempting to just allow anything from hadoop's Shell class, but then
+    // that would just give an easy vector for RCE (use hadoop Shell instead of e.g. ProcessBuilder)
+    // so we whitelist actual caller impl methods instead.
+    for (StackTraceElement element : Thread.currentThread().getStackTrace()) {
+      // hadoop insists on shelling out to get the user's supplementary groups?
+      if ("org.apache.hadoop.security.ShellBasedUnixGroupsMapping".equals(element.getClassName()) &&
+          "getGroups".equals(element.getMethodName())) {
+        return;
+      }
+      // hadoop insists on shelling out to parse 'df' command instead of using FileStore?
+      if ("org.apache.hadoop.fs.DF".equals(element.getClassName()) &&
+          "getFilesystem".equals(element.getMethodName())) {
+        return;
+      }
+      // hadoop insists on shelling out to parse 'du' command instead of using FileStore?
+      if ("org.apache.hadoop.fs.DU".equals(element.getClassName()) &&
+          "refresh".equals(element.getMethodName())) {
+        return;
+      }
+      // hadoop insists on shelling out to parse 'ls' command instead of java nio apis?
+      if ("org.apache.hadoop.util.DiskChecker".equals(element.getClassName()) &&
+          "checkDir".equals(element.getMethodName())) {
+        return;
+      }
+      // hadoop insists on shelling out to parse 'stat' command instead of Files.getAttributes?
+      if ("org.apache.hadoop.fs.HardLink".equals(element.getClassName()) &&
+          "getLinkCount".equals(element.getMethodName())) {
+        return;
+      }
+      // hadoop "canExecute" method doesn't handle securityexception and fails completely.
+      // so, lie to it, and tell it we will happily execute, so it does not crash.
+      if ("org.apache.hadoop.fs.FileUtil".equals(element.getClassName()) &&
+          "canExecute".equals(element.getMethodName())) {
+        return;
+      }
+    }
+    super.checkExec(cmd);
+  }
+
+  /**
+   * {@inheritDoc}
+   * <p>This method implements hacks to workaround hadoop's garbage FileUtil code
+   */
+  @Override
+  public void checkWrite(String file) {
+    for (StackTraceElement element : Thread.currentThread().getStackTrace()) {
+      // hadoop "canWrite" method doesn't handle securityexception and fails completely.
+      // so, lie to it, and tell it we will happily write, so it does not crash.
+      if ("org.apache.hadoop.fs.FileUtil".equals(element.getClassName()) &&
+          "canWrite".equals(element.getMethodName())) {
+        return;
+      }
+    }
+    super.checkWrite(file);
+  }
+
   /**
    * {@inheritDoc}
    * <p>This method inspects the stack trace and checks who is calling
diff --git a/lucene/tools/junit4/solr-tests.policy b/lucene/tools/junit4/solr-tests.policy
index 69013eb..82ed0bf 100644
--- a/lucene/tools/junit4/solr-tests.policy
+++ b/lucene/tools/junit4/solr-tests.policy
@@ -25,13 +25,13 @@
 
 grant {
   // permissions for file access, write access only to sandbox:
-  permission java.io.FilePermission "<<ALL FILES>>", "read,execute";
-  permission java.io.FilePermission "${junit4.childvm.cwd}", "read,execute";
-  permission java.io.FilePermission "${junit4.childvm.cwd}${/}temp", "read,execute,write,delete";
-  permission java.io.FilePermission "${junit4.childvm.cwd}${/}temp${/}-", "read,execute,write,delete";
+  permission java.io.FilePermission "<<ALL FILES>>", "read";
+  permission java.io.FilePermission "${junit4.childvm.cwd}", "read";
+  permission java.io.FilePermission "${junit4.childvm.cwd}${/}temp", "read,write,delete";
+  permission java.io.FilePermission "${junit4.childvm.cwd}${/}temp${/}-", "read,write,delete";
   permission java.io.FilePermission "${junit4.childvm.cwd}${/}jacoco.db", "write";
-  permission java.io.FilePermission "${junit4.tempDir}${/}*", "read,execute,write,delete";
-  permission java.io.FilePermission "${clover.db.dir}${/}-", "read,execute,write,delete";
+  permission java.io.FilePermission "${junit4.tempDir}${/}*", "read,write,delete";
+  permission java.io.FilePermission "${clover.db.dir}${/}-", "read,write,delete";
   permission java.io.FilePermission "${tests.linedocsfile}", "read";
   permission java.nio.file.LinkPermission "hard";