Hey stackoverflow community!
I'm writing a small program. In this program code, written in a Web-Interface, is compiled and run.
Now I want the written code from the web-interface to have just a few permissions, like reading a file in a specific directory, while my own code has all permissions.
I just looked up the SecurityManager and found a way to carry this out by using the codeBase attribute of the Policy-File. My idea was to give my code all permissions so the written code has no permissions.
grant codeBase "file:/PATH/-" {
permission java.security.AllPermission;
};
grant {
};
PATH points to the root directory of my program (with bin/src as subfolder).
It works until i'm invoking javax.tools.JavaCompiler.CompilationTask.call() to compile the given code, although the file has the required permissions:
An exception has occurred in the compiler (1.8.0_05). Please file a bug at the Java Developer Connection (Report a Bug or Request a Feature) after checking the Bug Parade for duplicates. Include your program and the following diagnostic in your report. Thank you.
java.security.AccessControlException: access denied ("java.util.PropertyPermission" "nonBatchMode" "read")
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:457)
at java.security.AccessController.checkPermission(AccessController.java:884)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
at java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1294)
at java.lang.System.getProperty(System.java:714)
at com.sun.tools.javac.main.Main.compile(Main.java:445)
at com.sun.tools.javac.api.JavacTaskImpl.doCall(JavacTaskImpl.java:129)
at com.sun.tools.javac.api.JavacTaskImpl.call(JavacTaskImpl.java:138)
.
.
.
I don't want to create a .java- and a .class-file for every typed code. For this reasen I used a ClassLoader with the following URI:
URI.create( "string:///" + className + Kind.CLASS.extension )
Trying to avoid the use of the "signedBy"-attriutes is important because it's difficult to sign .jar-files in Eclipse.
These are my questions:
1) Does anyone have an idea why the compiler throws an AccessControlException, although all needed rights are allowed?
2) Does anyone have an idea how to modify the SecurityManager this way?
3) Is it possible to seperate the included code from my own code at all?
4) Is the SecurityManager the right solution to my problem at all?
Thanks for reading and answering!
Related
In redhat-openjdk:1.8.0, jvm java.policy and custom.policy file's java.version is being effective on the activeprocess
I've configured the java process to use java security manager and it uses Apache server to run the process. So Apache client look for "java.version" read permission in default and/or custom policy file.
I've included ready property permission, yet i'm getting weird AccessControlException.
Exception i'm seeing is:
java.lang.RuntimeException: java.util.concurrent.ExecutionException: java.lang.RuntimeException: java.security.AccessControlException: access denied ("java.util.PropertyPermission" "java.version" "read")
I've right permissions in place Property permission entry in jvm/secruity/java.policy
permission java.util.PropertyPermission "java.version", "read";
and in custom.policy ( -Djava.security.manager -Djava.security.policy=custom.policy), file path fully-qualified, i just shortened for better understanding):
permission java.util.PropertyPermission "java.version", "read";
Expectation is to run java process with out issues, but that's not happening.
Edit 1:
I've also tried enforcing all permission using below line:
grant{
permission java.security.AllPermission;
};
But seems like it is still not working. I've also tried using '==' while setting up policy file, which mean
`If you use
java -Djava.security.manager -Djava.security.policy==someURL SomeApp
(note the double equals) then just the specified policy file will be used; all the ones indicated in the security properties file will be ignored.`
As per jdk 8 doc
Any help is much appreciated.
Looks to me that the policy is not in effect. In case you have multiple JDK releases installed, are you sure that you've modified the default policy for the same release that you are running with? I'd start by granting AllPermissions just to make sure that the policy is in effect, and then focus on the permission line itself.
When starting for example Elasticsearch 5.5 :
main ERROR Could not register mbeans java.security.AccessControlException: access denied ("javax.management.MBeanTrustPermission" "register")
Workaround with Oracle Java 1.8.0_131 is to open file <jre>/lib/security/java.policy and add this line to grant section (i.e. between curly brackets):
permission javax.management.MBeanTrustPermission "register";
Why workaround? The upright solution would be to specify extra grant section which code exactly should get this permission.
got the same error and the answer is here java.security.AccessControlException when using Ant, but runs ok when invoking java from console
Append the grant section in java.policy file with
permission javax.management.MBeanTrustPermission "register";
I had this same issue when moving from a single instance to two instances locally.
I tried what Alice suggested above. Even re-installed Elasticsearch (5.5.0).
I also updated my Java to the latest one for Linux provided by Oracle.
Nothing was working. Then I discovered, that I couldn't just take the elasticsearch-5.5.0/config directory and rename it to elasticsearch-5.5.0/node1.
So... I had to leave that config directory in place and clone it to node1/node2.
EVEN if I configure path.config in the runtime args, ES still needs that base line config directory.
Hope this helps.
I faced same issue on Ubuntu-16.04 system.
Solution:
ElasticSeearch service is not allowed to run for "ROOT" user. That's why change the ownership of elasticsearch folder with below command:
go to Elasticseach installation directory
$ sudo chown -R user_name:user_Group elasticsearch-5.5.0
$/bin/elasticsearch
this will start elasticsearch service. It is working form me perfectly.
I'm dealing with a badly-behaved library (JRuby) which tries to read the entire universe and then fails to deal with the SecurityException as well, thus fails to start up at all.
Caused by: org.jruby.exceptions.RaiseException: (LoadError) library `java' could not be loaded: java.security.AccessControlException: access denied ("java.io.FilePermission" "/Library/Java/JavaVirtualMachines/jdk1.7.0_45.jdk/Contents/Home/lib/ant-javafx.jar" "read")
I don't mind JRuby (or any other library, for that matter) reading the entire universe, though, so I am trying to figure out how to add this to the grants. This jar file turns out to be on the java.class.path, but I can't figure out the rule to grant the permission.
Taking examples from other policy files I have seen in the past, I have been trying things like this:
grant {
permission java.io.FilePermission "${{java.class.path}}", "read, execute";
permission java.io.FilePermission "${{java.class.path}}/-", "read, execute";
};
But it makes no difference whatsoever, so I suspect this ${{...}} syntax only works for the codeBase.
Is there a way to do it for file permissions as well?
I'm trying to prohibit the call to System.exit(int); in some jars.
These jars will be developed by external teams and loaded by our "container" application .
My first reflex is to use the java security manager:
-Djava.security.manager-Djava.security.debug=all
with the simplest ${user.home}/.java.policy file :
grant {};
Although I can no longer call such as System.getProperties () (since I do not have java.util.PropertyPermission), I can do a System.exit (0) !!
The option java.security.debug=all gives the following console:
scl: getPerms ProtectionDomain (file: my-bin-path <no sign certificates>)
sun.misc.Launcher $ AppClassLoader # 10385c1
<no principals>
java.security.Permissions # 15b7986 (
(java.lang.RuntimePermission exitVM)
(java.io.FilePermission \my-bin-path\- read)
)
Why do all classes in my-bin-path have java.lang.RuntimePermission exitVM granted ?????
thanks
According to the bug report, http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=4286238, the policy file wasn't dis-allowing System.exit() calls. I'm running an application with Java 1.6 and am still seeing this bug despite it being "resolved." Similar to the OP, I have a system wide policy file which does not include a permission for exitVM. However, I am able to exit the application without any exception being thrown.
My understanding of including a custom policy file is that all permissions are blacklisted except those included in the policy file. Since exitVM is not included it should be disallowed (overriding the default permission mentioned by MicSim). But this is not the case.
From the Javadoc of RuntimePermission:
Note: The "exitVM.*" permission is automatically granted to all code loaded from the application class path, thus enabling applications to terminate themselves.
Reading this, it seems you have to explicitly deny this permission by writing your own SecurityManager. (For an example, see this answer: Prevent System.exit to actually exit the JVM)
Alternatively you could do AOP and intercept System.exit. Doing that yourself would be: create your own class loader and use BPEL to trace System.exit, and patch those calls. Really not a large effort.
I am reading the tutorial on java security by oracle.
(http://download.oracle.com/javase/tutorial/security/toolsign/rstep4.html)
I duplicate all the files and everything from the tutorial basically.
I am able to run the file with security manager using the following approach in unix:
java -Djava.security.manager -Djava.security.policy=recvPolicy -cp sCount.jar Count ../../test
But when I try to specify a new policy.url in the java.security file like this:
policy.url.1=file:${java.home}/lib/security/java.policy
policy.url.2=file:${user.home}/.java.policy
policy.url.3=file:/home/myhome/SigningTest/recvPolicy
it gives me an exception when I run:
java -Djava.security.manager -cp sCount.jar Count ../../test
The exception is this:
Exception in thread "main" java.security.AccessControlException: access denied (java.io.FilePermission ../../test read)
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
at java.security.AccessController.checkPermission(AccessController.java:546)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
at java.lang.SecurityManager.checkRead(SecurityManager.java:871)
at java.io.FileInputStream.<init>(FileInputStream.java:100)
at java.io.FileInputStream.<init>(FileInputStream.java:66)
at Count.main(Count.java:17)
thanks for feedback
Okay, I did a quick test of this and it works for me. So the only thing that could be causing this problem (my guess) is that you have two jdks installed on your unix box. So make sure that the "java" that you are using for the command line execution is the same version whose java.security you have modified.
The default sun java 6 security file (if you are using ubuntu) is located at:
/etc/java-6-sun/security/java.security
So make sure you are editing the correct version of java.security