Visualização combinada Visão plana Exibição em árvore
toggle
Alexey Kakunin
Error on environment variable and file security
1 de Fevereiro de 2013 03:52
Resposta

Alexey Kakunin

Ranking: Liferay Master

Mensagens: 582

Data de entrada: 7 de Julho de 2008

Mensagens recentes

Hi!
I'm trying to enable security for my portlet and get followed errors:

113:58:03,523 WARN  [http-bio-8080-exec-31][RuntimeChecker:256] Attempted to get environment name SVN_CURRENT_TEST
213:58:03,525 WARN  [http-bio-8080-exec-31][FileChecker:256] Attempted to execute file <<ALL FILES>>


I did not found in documentatin how to control access to environment varialbes.
As well - I'му tried to set file security to:

1security-manager-files-execute=\
2*


but it does not resolved file security problems.
How can I enable this

problem is - these things accesses not from my code - but from SvnKit library - so, I cannot resolve it by changing my code:

1    at org.apache.juli.ClassLoaderLogManager.getClassLoaderInfo(ClassLoaderLogManager.java:370)
2    at org.apache.juli.ClassLoaderLogManager.getLogger(ClassLoaderLogManager.java:223)
3    at java.util.logging.LogManager.demandLogger(LogManager.java:389)
4    at java.util.logging.Logger.getLogger(Logger.java:288)
5    at org.tmatesoft.svn.core.internal.util.DefaultSVNDebugLogger.getLogger(DefaultSVNDebugLogger.java:86)
6    at org.tmatesoft.svn.core.internal.util.DefaultSVNDebugLogger.log(DefaultSVNDebugLogger.java:45)
7    at org.tmatesoft.svn.util.SVNDebugLogAdapter.logFinest(SVNDebugLogAdapter.java:61)


==
Alexey Kakunin
EmDev Limited
Alexey Melnikov
RE: Error on environment variable and file security
12 de Novembro de 2012 00:48
Resposta

Alexey Melnikov

Ranking: Regular Member

Mensagens: 108

Data de entrada: 27 de Março de 2012

Mensagens recentes

Hello!

I'm also trying to get to work our portlet with Alexey Kakunin. And here mine questions about this problems:

RuntimeChecker needs configuration for environment variables.
Very strange conditition for allowing access to environment variables in com.liferay.portal.security.pacl.checker.RuntimeChecker.
 1    protected boolean hasGetEnv(String name) {
 2    Class<?> callerClass7 = Reflection.getCallerClass(7);
 3
 4    if (callerClass7 == AbstractApplicationContext.class) {
 5        logGetEnv(callerClass7, 7, name);
 6
 7        return true;
 8    }
 9        ...


For example we using svn-kit library which requires access to environment variable. But in liferay, we cannot configure it for specific name of variable or all variables.

RuntimeChecker security check hasWriteFileDescriptor
In liferay it allows write file descriptor only from java.lang.ProcessImpl, but in our code file downloaded from network, and code is checking permission to write file descriptor from java.net.SocketOutputStream.
 1    protected boolean hasWriteFileDescriptor() {
 2        if (JavaDetector.isJDK7()) {
 3            Class<?> callerClass9 = Reflection.getCallerClass(9);
 4            String callerClassName9 = callerClass9.getName();
 5            if (callerClassName9.startsWith(_CLASS_NAME_PROCESS_IMPL) &&
 6                CheckerUtil.isAccessControllerDoPrivileged(10)) {
 7                logWriteFileDescriptor(callerClass9, 9);
 8                return true;
 9            }
10        }
11         ...


RuntimeChecker not supported permission (java.lang.RuntimePermission loadLibrary.jnidispatch)
svn-kit using jna-3.2.3.jar which are trying to load native library on runtime. It is very specific usage with portlet. But maybe it would be nice, if liferay provide some api to configure some additional custom permissions like this.

This problems for us is blocking.

And also want to propose one enhancement:

FileChecker needs separate constants for executables from system variable PATH, not a <<ALL FILES>>.
For example: java trying to run cmd.exe or sh, but FileChecker replaces this files to constant <<ALL FILES>> because it's not absolute path.

Under liferay I meant Liferay CE 6.1 GA2.
Ray Augé
RE: Error on environment variable and file security
15 de Janeiro de 2013 12:42
Resposta

Ray Augé

LIFERAY STAFF

Ranking: Liferay Legend

Mensagens: 1195

Data de entrada: 7 de Fevereiro de 2005

Mensagens recentes

We've got a fix for the environment variables coming:

http://issues.liferay.com/browse/LPS-32137

With respect to file paths, * does not work as you expect.

/* only means "all files in the current directory
/- means all files in the current directory and any subdirectory

See http://docs.oracle.com/javase/6/docs/api/java/io/FilePermission.html
Ray Augé
RE: Error on environment variable and file security
15 de Janeiro de 2013 13:20
Resposta

Ray Augé

LIFERAY STAFF

Ranking: Liferay Legend

Mensagens: 1195

Data de entrada: 7 de Fevereiro de 2005

Mensagens recentes

Could you share with me a minial test case? IT would help identify how to address these issues.