フォーラム

ホーム » 1. Marketplace App Development

構造的に表示 平面上に表示 ツリー上に表示
toggle
Alexey Kakunin
Error on environment variable and file security
2013/02/01 3:52
答え

Alexey Kakunin

ランク: Expert

投稿: 370

参加年月日: 2008/07/07

最近の投稿

Hi!
I'm trying to enable security for my portlet and get followed errors:

113:58:03,523 WARN  [http-bio-8080-exec-31][RuntimeChecker:256] Attempted to get environment name SVN_CURRENT_TEST
213:58:03,525 WARN  [http-bio-8080-exec-31][FileChecker:256] Attempted to execute file <<ALL FILES>>


I did not found in documentatin how to control access to environment varialbes.
As well - I'му tried to set file security to:

1security-manager-files-execute=\
2*


but it does not resolved file security problems.
How can I enable this

problem is - these things accesses not from my code - but from SvnKit library - so, I cannot resolve it by changing my code:

1    at org.apache.juli.ClassLoaderLogManager.getClassLoaderInfo(ClassLoaderLogManager.java:370)
2    at org.apache.juli.ClassLoaderLogManager.getLogger(ClassLoaderLogManager.java:223)
3    at java.util.logging.LogManager.demandLogger(LogManager.java:389)
4    at java.util.logging.Logger.getLogger(Logger.java:288)
5    at org.tmatesoft.svn.core.internal.util.DefaultSVNDebugLogger.getLogger(DefaultSVNDebugLogger.java:86)
6    at org.tmatesoft.svn.core.internal.util.DefaultSVNDebugLogger.log(DefaultSVNDebugLogger.java:45)
7    at org.tmatesoft.svn.util.SVNDebugLogAdapter.logFinest(SVNDebugLogAdapter.java:61)


==
Alexey Kakunin
EmDev Limited
Alexey Melnikov
RE: Error on environment variable and file security
2012/11/12 0:48
答え

Alexey Melnikov

ランク: Junior Member

投稿: 93

参加年月日: 2012/03/27

最近の投稿

Hello!

I'm also trying to get to work our portlet with Alexey Kakunin. And here mine questions about this problems:

RuntimeChecker needs configuration for environment variables.
Very strange conditition for allowing access to environment variables in com.liferay.portal.security.pacl.checker.RuntimeChecker.
 1    protected boolean hasGetEnv(String name) {
 2    Class<?> callerClass7 = Reflection.getCallerClass(7);
 3
 4    if (callerClass7 == AbstractApplicationContext.class) {
 5        logGetEnv(callerClass7, 7, name);
 6
 7        return true;
 8    }
 9        ...


For example we using svn-kit library which requires access to environment variable. But in liferay, we cannot configure it for specific name of variable or all variables.

RuntimeChecker security check hasWriteFileDescriptor
In liferay it allows write file descriptor only from java.lang.ProcessImpl, but in our code file downloaded from network, and code is checking permission to write file descriptor from java.net.SocketOutputStream.
 1    protected boolean hasWriteFileDescriptor() {
 2        if (JavaDetector.isJDK7()) {
 3            Class<?> callerClass9 = Reflection.getCallerClass(9);
 4            String callerClassName9 = callerClass9.getName();
 5            if (callerClassName9.startsWith(_CLASS_NAME_PROCESS_IMPL) &&
 6                CheckerUtil.isAccessControllerDoPrivileged(10)) {
 7                logWriteFileDescriptor(callerClass9, 9);
 8                return true;
 9            }
10        }
11         ...


RuntimeChecker not supported permission (java.lang.RuntimePermission loadLibrary.jnidispatch)
svn-kit using jna-3.2.3.jar which are trying to load native library on runtime. It is very specific usage with portlet. But maybe it would be nice, if liferay provide some api to configure some additional custom permissions like this.

This problems for us is blocking.

And also want to propose one enhancement:

FileChecker needs separate constants for executables from system variable PATH, not a <<ALL FILES>>.
For example: java trying to run cmd.exe or sh, but FileChecker replaces this files to constant <<ALL FILES>> because it's not absolute path.

Under liferay I meant Liferay CE 6.1 GA2.
Ray Augé
RE: Error on environment variable and file security
2013/01/15 12:42
答え

Ray Augé

LIFERAY STAFF

ランク: Liferay Legend

投稿: 1171

参加年月日: 2005/02/07

最近の投稿

We've got a fix for the environment variables coming:

http://issues.liferay.com/browse/LPS-32137

With respect to file paths, * does not work as you expect.

/* only means "all files in the current directory
/- means all files in the current directory and any subdirectory

See http://docs.oracle.com/javase/6/docs/api/java/io/FilePermission.html
Ray Augé
RE: Error on environment variable and file security
2013/01/15 13:20
答え

Ray Augé

LIFERAY STAFF

ランク: Liferay Legend

投稿: 1171

参加年月日: 2005/02/07

最近の投稿

Could you share with me a minial test case? IT would help identify how to address these issues.