dcwaterm / pwm

Automatically exported from code.google.com/p/pwm
0 stars 0 forks source link

[Enhancement] PWM v1.7.0 b1217 (RC2) / SVN revision 548 Ruleset Java Security Manager #379

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
Hereby my trial and error ruleset for the Java Security Manager policy in 
combination with PWM v1.7.0 b1217 (RC2). This Rulset is started from Scratch, 
because the current documented policy in the PWM administration guide is a bit 
outdated. To give something back to this community, I thought it would be 
appreciated to share this Ruleset to prevent most people going through this 
painful process. The ruleset is used on a SLES 11 SP2 server so you may need to 
change some of the paths. Also, it's not a complete ruleset, but appended to 
the end of the Tomcat6 standard catalina.policy file.

Let me know if these rules are not enough for correct functionality: I'm not 
using all of the modules in PWM (i.e. New User Registration/ Guest Registration 
are not used in my setup), so it would be nice if somebody else could verify 
that.

My system information:

$ zypper if tomcat6
Loading repository data...
Reading installed packages...

Information for package tomcat6:

Repository: SLES11-SP1-Updates
Name: tomcat6
Version: 6.0.18-20.35.36.1
Arch: noarch
Vendor: SUSE LINUX Products GmbH, Nuernberg, Germany
Support Level: Level 3
Installed: Yes
Status: up-to-date
Installed Size: 183.0 KiB
Summary: Apache Servlet/JSP Engine, RI for Servlet 2.5/JSP 2.1 API
Description:
Tomcat is the servlet container that is used in the official Reference
Implementation for the Java Servlet and JavaServer Pages technologies.
The Java Servlet and JavaServer Pages specifications are developed by
Sun under the Java Community Process.

Tomcat is developed in an open and participatory environment and
released under the Apache Software License version 2.0. Tomcat is
intended to be a collaboration of the best-of-breed developers from

$ java -version
java version "1.7.0_21"
Java(TM) SE Runtime Environment (build 1.7.0_21-b11)
Java HotSpot(TM) 64-Bit Server VM (build 23.21-b01, mixed mode)

Ruleset:
-------------------------------------------------------

// ========== PWM-specific settings =====================================

grant {
        // Basic Runtime Permissions
        permission java.lang.RuntimePermission "createClassLoader";
        permission java.lang.RuntimePermission "setContextClassLoader";
        permission java.lang.RuntimePermission "getClassLoader";
        permission java.lang.RuntimePermission "modifyThread";

        // Misc RuntimePermissions
        permission java.lang.RuntimePermission "accessClassInPackage.sun.util.logging.*";
        permission java.lang.RuntimePermission "accessClassInPackage.sun.security.x509";
        permission java.lang.RuntimePermission "accessDeclaredMembers";
        permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper";
        permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.compiler";
        permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.el";
        permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.resources";
        permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime";
        permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.servlet";
        permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.xmlparser";
        permission java.lang.RuntimePermission "accessClassInPackage.sun.misc";
        permission java.lang.RuntimePermission "accessClassInPackage.sun.security.rsa";
        permission java.lang.RuntimePermission "accessClassInPackage.sun.security.util";
        permission java.lang.RuntimePermission "accessClassInPackage.org.apache.coyote";
        permission java.lang.RuntimePermission "defineClassInPackage.java.lang";
        permission java.lang.RuntimePermission "defineClassInPackage.java.util";
        permission java.lang.RuntimePermission "defineClassInPackage.org.apache.jasper.runtime";
        permission java.lang.RuntimePermission "getFileSystemAttributes";

        // FilePermissions
        permission java.io.FilePermission "${catalina.base}/webapps/pwm", "read";
        permission java.io.FilePermission "${catalina.base}/webapps/pwm/-", "read";
        permission java.io.FilePermission "${catalina.base}/work/Catalina/localhost/pwm", "read, write, delete";
        permission java.io.FilePermission "${catalina.base}/work/Catalina/localhost/pwm/-", "read, write, delete";
        permission java.io.FilePermission "${catalina.base}/webapps/pwm/WEB-INF/-", "read, write";
        permission java.io.FilePermission "${catalina.base}/webapps/pwm/WEB-INF/LocalDB", "read, write, delete, execute";
        permission java.io.FilePermission "${catalina.base}/webapps/pwm/WEB-INF/LocalDB/-", "read, write, delete, execute";
        permission java.io.FilePermission "${java.home}/lib/-", "read";
        permission java.io.FilePermission "/usr/share/java/-", "read";
        permission java.io.FilePermission "${catalina.base}/.mailcap", "read";
        permission java.io.FilePermission "derby.properties", "read";

        // workaround for what I think is a SLES issue: although general symlinks exists for bootstrap and tomcat-juli without version numbers, tomcat still tries to access specific versions of the bootstrap and tomcat-juli
        permission java.io.FilePermission "${catalina.base}/bin/bootstrap-6.0.18.jar", "read";
        permission java.io.FilePermission "${catalina.base}/bin/tomcat-juli-6.0.18.jar", "read";

        // PropertyPermissions
        permission java.util.PropertyPermission "*", "read,write";
        permission java.util.PropertyPermission "com.sun.jersey.core.util.ReaderWriter.BufferSize", "read";
        permission java.util.PropertyPermission "com.sun.xml.bind.v2.bytecode.ClassTailor.noOptimize", "read";
        permission java.util.PropertyPermission "com.sun.xml.bind.v2.runtime.JAXBContextImpl.fastBoot", "read";
        permission java.util.PropertyPermission "derby.stream.error.logSeverityLevel", "read";
        permission java.util.PropertyPermission "derby.system.home", "read";
        permission java.util.PropertyPermission "javax.activation.addreverse", "read";
        permission java.util.PropertyPermission "javax.activation.debug", "read";
        permission java.util.PropertyPermission "org.jdom2.xpath.XPathFactory", "read";
        permission java.util.PropertyPermission "org.jdom2.output.LineSeparator", "read";
        permission java.util.PropertyPermission "org.saxpath.driver", "read";
        permission java.util.PropertyPermission "org.apache.commons.logging", "read";
        permission java.util.PropertyPermission "user.home", "read";
        permission java.util.PropertyPermission "user.language", "write";
        permission java.util.PropertyPermission "user.name", "read";
        permission java.util.PropertyPermission "mail.mime.*", "read";
        permission java.util.PropertyPermission "mail.socket.debug", "read";
        permission java.util.PropertyPermission "mail.URLName.dontencode", "read";
        permission java.util.PropertyPermission "mapAnyUriToUri", "read";
        permission java.util.PropertyPermission "memAdmin", "read";
        permission java.util.PropertyPermission "memLock", "read";
        permission java.util.PropertyPermission "memTree", "read";
        permission java.util.PropertyPermission "memTreeAdmin", "read";
        permission java.util.PropertyPermission "memTxn", "read";
        permission java.util.PropertyPermission "org.apache.jasper.compiler.Parser.STRICT_QUOTE_ESCAPING", "read";
        permission java.util.PropertyPermission "org.apache.jasper.compiler.Generator.VAR_EXPRESSIONFACTORY", "read";
        permission java.util.PropertyPermission "org.apache.jasper.compiler.Generator.VAR_ANNOTATIONPROCESSOR", "read";
        permission java.util.PropertyPermission "sun.arch.data.model", "read";

        // BerkeleyDB-specific properties
        permission java.util.PropertyPermission "je.*", "read";
        permission java.util.PropertyPermission "JEDiagnostics", "read";
        permission java.util.PropertyPermission "JEMonitor", "read";

        // Log4j-specific properties
        permission java.util.PropertyPermission "log4j.*", "read";

        // SocketPermission
        permission java.net.SocketPermission "pwm-cloud.appspot.com:443", "connect, resolve";
        permission java.net.SocketPermission "<your ldap server>:389", "connect, resolve";
        permission java.net.SocketPermission "<your ldap server>:636", "connect, resolve";
        permission java.net.SocketPermission "<your SMTP server>:25", "connect, resolve";
        permission java.net.SocketPermission "www.google.com","connect, resolve";
        permission java.net.SocketPermission "<your SMS gateway>", "connect, resolve";

        // Misc permissions
        permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
        permission java.util.logging.LoggingPermission "control";
        permission java.lang.management.ManagementPermission "monitor";
};

-------------------------------------------------------

Note that this ruleset has only been tested with PWM utilizing the following 
features only:
- Update Profile
- Change password
- Forgotten Username
- Forgotten Password
- Activate Account
- reCAPTCHA verification
- e-mail and SMS token
- Basic Configuration Manager editing

One thing that makes me a bit nervous is the following permission:

java.util.PropertyPermission "*", "read,write";

This sets the permissions for Tomcat webapps a bit too open. I had to add this 
to the Ruleset, because the Change Password functionality needs this permission 
in the current nightly build (verified this by using the Java SecurityManager 
debug logging). Maybe Jason could have a look at the code, wether this 
permission could be more restrictive.

All the best,

Sebastiaan

Original issue reported on code.google.com by sebastia...@gmail.com on 1 May 2013 at 8:30

GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
[deleted comment]
GoogleCodeExporter commented 9 years ago
A minor edit on the ruleset: delete rights are necessary on WEB-INF if the 
maximum amount of backups on PwmConfiguration.xml is reached.

Original comment by sebastia...@gmail.com on 3 May 2013 at 1:38

Attachments:

GoogleCodeExporter commented 9 years ago

Original comment by menno.pi...@gmail.com on 24 May 2013 at 9:17