From 5eab7fedf1c78610b5e030b9e07e93f32633e9ad Mon Sep 17 00:00:00 2001 From: Endi Sukma Dewata Date: Tue, 2 Oct 2012 11:40:35 -0500 Subject: Enabled Tomcat security manager. The tomcat.conf and the template deployment configuration have been modified to enable the security manager. The operations script has been modified to generate a new catalina.policy from the standard Tomcat policy, the standard PKI policy and the custom policy every time the instance is started. The current catalina.policy has been changed to store a header for the dynamically generated catalina.policy. A new pki.policy has been added to store the default PKI security policy. An empty custom.policy has been added to store policy customization. Ticket #223 --- base/common/shared/conf/catalina.policy | 251 +------------------------------- base/common/shared/conf/custom.policy | 5 + base/common/shared/conf/pki.policy | 188 ++++++++++++++++++++++++ base/common/shared/conf/tomcat.conf | 2 +- base/deploy/config/pkideployment.cfg | 2 +- base/deploy/scripts/operations | 7 + 6 files changed, 204 insertions(+), 251 deletions(-) create mode 100644 base/common/shared/conf/custom.policy create mode 100644 base/common/shared/conf/pki.policy diff --git a/base/common/shared/conf/catalina.policy b/base/common/shared/conf/catalina.policy index 02c1eea0a..7023a10fb 100644 --- a/base/common/shared/conf/catalina.policy +++ b/base/common/shared/conf/catalina.policy @@ -1,252 +1,5 @@ -// --- BEGIN COPYRIGHT BLOCK --- -// Copyright (C) 2012 Red Hat, Inc. -// All rights reserved. -// Modifications: configuration parameters -// --- END COPYRIGHT BLOCK --- - -// Licensed to the Apache Software Foundation (ASF) under one or more -// contributor license agreements. See the NOTICE file distributed with -// this work for additional information regarding copyright ownership. -// The ASF licenses this file to You under the Apache License, Version 2.0 -// (the "License"); you may not use this file except in compliance with -// the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - // ============================================================================ -// catalina.policy - Security Policy Permissions for Tomcat 7 -// -// This file contains a default set of security policies to be enforced (by the -// JVM) when Catalina is executed with the "-security" option. In addition -// to the permissions granted here, the following additional permissions are -// granted to each web application: -// -// * Read access to the web application's document root directory -// * Read, write and delete access to the web application's working directory -// -// $Id: catalina.policy 1220297 2011-12-17 22:55:28Z markt $ +// Do not edit this file. This file is automatically generated from +// the default Tomcat policy, default PKI policy and custom policy. // ============================================================================ - -// ========== SYSTEM CODE PERMISSIONS ========================================= - - -// These permissions apply to javac -grant codeBase "file:${java.home}/lib/-" { - permission java.security.AllPermission; -}; - -// These permissions apply to all shared system extensions -grant codeBase "file:${java.home}/jre/lib/ext/-" { - permission java.security.AllPermission; -}; - -// These permissions apply to javac when ${java.home] points at $JAVA_HOME/jre -grant codeBase "file:${java.home}/../lib/-" { - permission java.security.AllPermission; -}; - -// These permissions apply to all shared system extensions when -// ${java.home} points at $JAVA_HOME/jre -grant codeBase "file:${java.home}/lib/ext/-" { - permission java.security.AllPermission; -}; - - -// ========== CATALINA CODE PERMISSIONS ======================================= - - -// These permissions apply to the daemon code -grant codeBase "file:${catalina.home}/bin/commons-daemon.jar" { - permission java.security.AllPermission; -}; - -// These permissions apply to the logging API -// Note: If tomcat-juli.jar is in ${catalina.base} and not in ${catalina.home}, -// update this section accordingly. -// grant codeBase "file:${catalina.base}/bin/tomcat-juli.jar" {..} -grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" { - permission java.io.FilePermission - "${java.home}${file.separator}lib${file.separator}logging.properties", "read"; - - permission java.io.FilePermission - "${catalina.base}${file.separator}conf${file.separator}logging.properties", "read"; - permission java.io.FilePermission - "${catalina.base}${file.separator}logs", "read, write"; - permission java.io.FilePermission - "${catalina.base}${file.separator}logs${file.separator}*", "read, write"; - - permission java.lang.RuntimePermission "shutdownHooks"; - permission java.lang.RuntimePermission "getClassLoader"; - permission java.lang.RuntimePermission "setContextClassLoader"; - - permission java.util.logging.LoggingPermission "control"; - - permission java.util.PropertyPermission "java.util.logging.config.class", "read"; - permission java.util.PropertyPermission "java.util.logging.config.file", "read"; - permission java.util.PropertyPermission "catalina.base", "read"; - permission java.util.PropertyPermission - "org.apache.juli.logging.UserDataHelper.CONFIG", "read"; - permission java.util.PropertyPermission - "org.apache.juli.logging.UserDataHelper.SUPPRESSION_TIME", "read"; - - // Note: To enable per context logging configuration, permit read access to - // the appropriate file. Be sure that the logging configuration is - // secure before enabling such access. - // E.g. for the examples web application (uncomment and unwrap - // the following to be on a single line): - // permission java.io.FilePermission "${catalina.base}${file.separator} - // webapps${file.separator}examples${file.separator}WEB-INF - // ${file.separator}classes${file.separator}logging.properties", "read"; -}; - -// These permissions apply to the server startup code -grant codeBase "file:${catalina.home}/bin/bootstrap.jar" { - permission java.security.AllPermission; -}; - -// These permissions apply to the servlet API classes -// and those that are shared across all class loaders -// located in the "lib" directory -grant codeBase "file:${catalina.home}/lib/-" { - permission java.security.AllPermission; -}; - - -// If using a per instance lib directory, i.e. ${catalina.base}/lib, -// then the following permission will need to be uncommented -// grant codeBase "file:${catalina.base}/lib/-" { -// permission java.security.AllPermission; -// }; - - -// ========== WEB APPLICATION PERMISSIONS ===================================== - - -// These permissions are granted by default to all web applications -// In addition, a web application will be given a read FilePermission -// and JndiPermission for all files and directories in its document root. -grant { - // Required for JNDI lookup of named JDBC DataSource's and - // javamail named MimePart DataSource used to send mail - permission java.util.PropertyPermission "java.home", "read"; - permission java.util.PropertyPermission "java.naming.*", "read"; - permission java.util.PropertyPermission "javax.sql.*", "read"; - - // OS Specific properties to allow read access - permission java.util.PropertyPermission "os.name", "read"; - permission java.util.PropertyPermission "os.version", "read"; - permission java.util.PropertyPermission "os.arch", "read"; - permission java.util.PropertyPermission "file.separator", "read"; - permission java.util.PropertyPermission "path.separator", "read"; - permission java.util.PropertyPermission "line.separator", "read"; - - // JVM properties to allow read access - permission java.util.PropertyPermission "java.version", "read"; - permission java.util.PropertyPermission "java.vendor", "read"; - permission java.util.PropertyPermission "java.vendor.url", "read"; - permission java.util.PropertyPermission "java.class.version", "read"; - permission java.util.PropertyPermission "java.specification.version", "read"; - permission java.util.PropertyPermission "java.specification.vendor", "read"; - permission java.util.PropertyPermission "java.specification.name", "read"; - - permission java.util.PropertyPermission "java.vm.specification.version", "read"; - permission java.util.PropertyPermission "java.vm.specification.vendor", "read"; - permission java.util.PropertyPermission "java.vm.specification.name", "read"; - permission java.util.PropertyPermission "java.vm.version", "read"; - permission java.util.PropertyPermission "java.vm.vendor", "read"; - permission java.util.PropertyPermission "java.vm.name", "read"; - - // Required for OpenJMX - permission java.lang.RuntimePermission "getAttribute"; - - // Allow read of JAXP compliant XML parser debug - permission java.util.PropertyPermission "jaxp.debug", "read"; - - // All JSPs need to be able to read this package - permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat"; - - // Precompiled JSPs need access to these packages. - permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.el"; - permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime"; - permission java.lang.RuntimePermission - "accessClassInPackage.org.apache.jasper.runtime.*"; - - // Precompiled JSPs need access to these system properties. - permission java.util.PropertyPermission - "org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER", "read"; - permission java.util.PropertyPermission - "org.apache.el.parser.COERCE_TO_ZERO", "read"; - - // The cookie code needs these. - permission java.util.PropertyPermission - "org.apache.catalina.STRICT_SERVLET_COMPLIANCE", "read"; - permission java.util.PropertyPermission - "org.apache.tomcat.util.http.ServerCookie.STRICT_NAMING", "read"; - permission java.util.PropertyPermission - "org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATOR", "read"; - - // Applications using Comet need to be able to access this package - permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.comet"; -}; - - -// The Manager application needs access to the following packages to support the -// session display functionality. These settings support the following -// configurations: -// - default CATALINA_HOME == CATALINA_BASE -// - CATALINA_HOME != CATALINA_BASE, per instance Manager in CATALINA_BASE -// - CATALINA_HOME != CATALINA_BASE, shared Manager in CATALINA_HOME -grant codeBase "file:${catalina.base}/webapps/manager/-" { - permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina"; - permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.ha.session"; - permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager"; - permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager.util"; - permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.util"; -}; -grant codeBase "file:${catalina.home}/webapps/manager/-" { - permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina"; - permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.ha.session"; - permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager"; - permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager.util"; - permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.util"; -}; - -// You can assign additional permissions to particular web applications by -// adding additional "grant" entries here, based on the code base for that -// application, /WEB-INF/classes/, or /WEB-INF/lib/ jar files. -// -// Different permissions can be granted to JSP pages, classes loaded from -// the /WEB-INF/classes/ directory, all jar files in the /WEB-INF/lib/ -// directory, or even to individual jar files in the /WEB-INF/lib/ directory. -// -// For instance, assume that the standard "examples" application -// included a JDBC driver that needed to establish a network connection to the -// corresponding database and used the scrape taglib to get the weather from -// the NOAA web server. You might create a "grant" entries like this: -// -// The permissions granted to the context root directory apply to JSP pages. -// grant codeBase "file:${catalina.base}/webapps/examples/-" { -// permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect"; -// permission java.net.SocketPermission "*.noaa.gov:80", "connect"; -// }; -// -// The permissions granted to the context WEB-INF/classes directory -// grant codeBase "file:${catalina.base}/webapps/examples/WEB-INF/classes/-" { -// }; -// -// The permission granted to your JDBC driver -// grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/driver.jar!/-" { -// permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect"; -// }; -// The permission granted to the scrape taglib -// grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/scrape.jar!/-" { -// permission java.net.SocketPermission "*.noaa.gov:80", "connect"; -// }; - diff --git a/base/common/shared/conf/custom.policy b/base/common/shared/conf/custom.policy new file mode 100644 index 000000000..94f65a1d4 --- /dev/null +++ b/base/common/shared/conf/custom.policy @@ -0,0 +1,5 @@ +// ============================================================================ +// custom.policy - Custom Security Policy Permissions for PKI +// +// Custom security policies for PKI should be stored in this file. +// ============================================================================ diff --git a/base/common/shared/conf/pki.policy b/base/common/shared/conf/pki.policy new file mode 100644 index 000000000..d26598671 --- /dev/null +++ b/base/common/shared/conf/pki.policy @@ -0,0 +1,188 @@ +// --- BEGIN COPYRIGHT BLOCK --- +// Copyright (C) 2012 Red Hat, Inc. +// All rights reserved. +// --- END COPYRIGHT BLOCK --- + +// ============================================================================ +// pki.policy - Default Security Policy Permissions for PKI on Tomcat 7 +// +// This file contains a default set of security policies for PKI running inside +// Tomcat 7. +// ============================================================================ + +grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" { + permission java.lang.RuntimePermission "accessClassInPackage.sun.util.logging.resources"; +}; + +grant codeBase "file:${catalina.base}/bin/bootstrap.jar" { + permission java.security.AllPermission; +}; + +grant codeBase "file:${catalina.base}/lib/-" { + permission java.security.AllPermission; +}; + +grant codeBase "file:/usr/lib/java/jss4.jar" { + permission java.security.AllPermission; +}; + +grant codeBase "file:/usr/lib64/java/jss4.jar" { + permission java.security.AllPermission; +}; + +grant codeBase "file:/usr/share/java/commons-codec.jar" { + permission java.security.AllPermission; +}; + +grant codeBase "file:/usr/share/java/apache-commons-collections.jar" { + permission java.security.AllPermission; +}; + +grant codeBase "file:/usr/share/java/apache-commons-lang.jar" { + permission java.security.AllPermission; +}; + +grant codeBase "file:/usr/share/java/apache-commons-logging.jar" { + permission java.security.AllPermission; +}; + +grant codeBase "file:/usr/share/java/ecj.jar" { + permission java.security.AllPermission; +}; + +grant codeBase "file:/usr/share/java/eclipse/-" { + permission java.security.AllPermission; +}; + +grant codeBase "file:/usr/share/java/glassfish-jsp.jar" { + permission java.security.AllPermission; +}; + +grant codeBase "file:/usr/share/java/httpcomponents/httpclient.jar" { + permission java.security.AllPermission; +}; + +grant codeBase "file:/usr/share/java/httpcomponents/httpcore.jar" { + permission java.security.AllPermission; +}; + +grant codeBase "file:/usr/share/java/javassist.jar" { + permission java.security.AllPermission; +}; + +grant codeBase "file:/usr/share/java/jaxb-api.jar" { + permission java.security.AllPermission; +}; + +grant codeBase "file:/usr/share/java/jaxme/jaxmeapi.jar" { + permission java.security.AllPermission; +}; + +grant codeBase "file:/usr/share/java/jaxp_parser_impl.jar" { + permission java.security.AllPermission; +}; + +grant codeBase "file:/usr/share/java/jboss-web.jar" { + permission java.security.AllPermission; +}; + +grant codeBase "file:/usr/share/java/jettison.jar" { + permission java.security.AllPermission; +}; + +grant codeBase "file:/usr/share/java/ldapjdk.jar" { + permission java.security.AllPermission; +}; + +grant codeBase "file:/usr/share/java/log4j.jar" { + permission java.security.AllPermission; +}; + +grant codeBase "file:/usr/share/java/resteasy/jaxrs-api.jar" { + permission java.security.AllPermission; +}; + +grant codeBase "file:/usr/share/java/resteasy/resteasy-atom-provider.jar" { + permission java.security.AllPermission; +}; + +grant codeBase "file:/usr/share/java/resteasy/resteasy-jaxb-provider.jar" { + permission java.security.AllPermission; +}; + +grant codeBase "file:/usr/share/java/resteasy/resteasy-jaxrs.jar" { + permission java.security.AllPermission; +}; + +grant codeBase "file:/usr/share/java/resteasy/resteasy-jettison-provider.jar" { + permission java.security.AllPermission; +}; + +grant codeBase "file:/usr/share/java/scannotation.jar" { + permission java.security.AllPermission; +}; + +grant codeBase "file:/usr/share/java/servlet.jar" { + permission java.security.AllPermission; +}; + +grant codeBase "file:/usr/share/java/tomcat/-" { + permission java.security.AllPermission; +}; + +grant codeBase "file:/usr/share/java/tomcat7jss.jar" { + permission java.security.AllPermission; +}; + +grant codeBase "file:/usr/share/java/tomcat-el-api.jar" { + permission java.security.AllPermission; +}; + +grant codeBase "file:/usr/share/java/tomcat-servlet-api.jar" { + permission java.security.AllPermission; +}; + +grant codeBase "file:/usr/share/java/velocity.jar" { + permission java.security.AllPermission; +}; + +grant codeBase "file:/usr/share/java/xerces-j2.jar" { + permission java.security.AllPermission; +}; + +grant codeBase "file:/usr/share/java/xml-commons-apis.jar" { + permission java.security.AllPermission; +}; + +grant codeBase "file:/usr/share/java/xml-commons-resolver.jar" { + permission java.security.AllPermission; +}; + +grant codeBase "file:/usr/share/java/pki/-" { + permission java.security.AllPermission; +}; + +grant codeBase "file:${catalina.base}/webapps/pki/-" { + permission java.security.AllPermission; +}; + +grant codeBase "file:${catalina.base}/webapps/ca/-" { + permission java.security.AllPermission; +}; + +grant codeBase "file:${catalina.base}/webapps/kra/-" { + permission java.security.AllPermission; +}; + +grant codeBase "file:${catalina.base}/webapps/ocsp/-" { + permission java.security.AllPermission; +}; + +grant codeBase "file:${catalina.base}/webapps/tks/-" { + permission java.security.AllPermission; +}; + +grant codeBase "file:${catalina.base}/webapps/ROOT/-" { + permission java.security.AllPermission; +}; + diff --git a/base/common/shared/conf/tomcat.conf b/base/common/shared/conf/tomcat.conf index 9c1a81bb7..54d67e4b4 100644 --- a/base/common/shared/conf/tomcat.conf +++ b/base/common/shared/conf/tomcat.conf @@ -39,7 +39,7 @@ TOMCAT_USER="[PKI_USER]" #LANG="en_US" # Run tomcat under the Java Security Manager -#SECURITY_MANAGER="[PKI_SECURITY_MANAGER]" +SECURITY_MANAGER="[PKI_SECURITY_MANAGER]" # Time to wait in seconds, before killing process #SHUTDOWN_WAIT="30" diff --git a/base/deploy/config/pkideployment.cfg b/base/deploy/config/pkideployment.cfg index 2a62c5e7d..772d35f71 100644 --- a/base/deploy/config/pkideployment.cfg +++ b/base/deploy/config/pkideployment.cfg @@ -119,7 +119,7 @@ pki_https_port=8443 pki_instance_name=pki-tomcat pki_proxy_http_port=80 pki_proxy_https_port=443 -pki_security_manager=false +pki_security_manager=true pki_tomcat_server_port=8005 ############################################################################### ## 'CA' Data: ## diff --git a/base/deploy/scripts/operations b/base/deploy/scripts/operations index 4716e766f..be5053ba2 100644 --- a/base/deploy/scripts/operations +++ b/base/deploy/scripts/operations @@ -1216,6 +1216,13 @@ start_instance() case $PKI_WEB_SERVER_TYPE in tomcat) + # Generate catalina.policy dynamically. + cat /usr/share/pki/server/conf/catalina.policy \ + /usr/share/tomcat/conf/catalina.policy \ + /usr/share/pki/server/conf/pki.policy \ + /var/lib/pki/$PKI_INSTANCE_ID/conf/custom.policy > \ + /var/lib/pki/$PKI_INSTANCE_ID/conf/catalina.policy + # We must export the service name so that the systemd version # of the tomcat init script knows which instance specific # configuration file to source. -- cgit