Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Handle system policy correctly #14704

Closed
wants to merge 2 commits into from
Closed

Handle system policy correctly #14704

wants to merge 2 commits into from

Conversation

rmuir
Copy link
Contributor

@rmuir rmuir commented Nov 12, 2015

Currently we have these lines:

//// System code permissions:
//// These permissions apply to the JDK itself:

grant codeBase "file:${{java.ext.dirs}}/*" {
  permission java.security.AllPermission;
};

But this is not really offically correct, and a problem going forwards, see https://bugs.openjdk.java.net/browse/JDK-8040059 and related issues (https://bugs.openjdk.java.net/secure/IssueNavigator.jspa?reset=true&jqlQuery=labels+%3D+deprivilege)

Current java 9 config is here: http://hg.openjdk.java.net/jdk9/jdk9/jdk/file/tip/src/java.base/share/conf/security/java.policy

So we must properly bring in the system policy, and just disable the bad defaults it has (with escape hatch in case there is some issue with that). This makes things better for users out of box.

It also makes us properly behaved, respecting user and system configuration. See https://docs.oracle.com/javase/8/docs/technotes/guides/security/PolicyFiles.html for more information.

Closes #14690

rjernst
rjernst reviewed Nov 12, 2015
View reviewed changes
core/src/main/java/org/elasticsearch/bootstrap/Security.java
@@ -253,7 +279,9 @@ static void addBindPermissions(Permissions policy, Settings settings) throws IOE
// a profile is only valid if its the default profile, or if it has an actual name and specifies a port
boolean valid = NettyTransport.DEFAULT_PROFILE.equals(name) || (Strings.hasLength(name) && profileSettings.get("port") != null);
if (valid) {
policy.add(new SocketPermission("localhost:" + transportRange, "listen,resolve"));
// listen is always called always called with 'localhost' but use wildcard to be sure, no name service is consulted.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

typo: "always called" twice

@rjernst
Copy link
Member

rjernst commented Nov 12, 2015

LGTM

@rmuir rmuir closed this in 720ebe3 Nov 12, 2015
rmuir added a commit that referenced this pull request Nov 13, 2015
@rmuir
Handle system policy correctly.
d4ee642 
Just suck in the system policy, so its compatible with any version of java.
It means it also respects configuration (e.g. for monitoring agents)

Closes #14704
rmuir added a commit that referenced this pull request Nov 13, 2015
@rmuir
Handle system policy correctly.
8c093e7 
Just suck in the system policy, so its compatible with any version of java.
It means it also respects configuration (e.g. for monitoring agents)

Closes #14704
@clintongormley clintongormley added the :Delivery/Packaging RPM and deb packaging, tar and zip archives, shell and batch scripts label Nov 16, 2015
@jasontedor jasontedor mentioned this pull request Nov 22, 2016
Merged
@mark-vieira mark-vieira added the Team:Delivery Meta label for Delivery team label Nov 11, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
>bug :Delivery/Packaging RPM and deb packaging, tar and zip archives, shell and batch scripts Team:Delivery Meta label for Delivery team v2.1.0 v2.2.0 v5.0.0-alpha1
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Newrelic agent with 2.0.0
4 participants
@rmuir @rjernst @clintongormley @mark-vieira