SecurityManager environments

Uwe Schindler uschindler at apache.org
Thu Apr 6 14:25:53 UTC 2017 

Hi,

> > >> To be honest, we don't see a lot of security manager
> > >> usage on the server side these days.
> >
> > I'm really surprised about that. How can a app server or servlet container
> > like JBoss Tomcat etc guarantee that System.exit does not shut down
> > the JVM?
> AFAIK the app servers have to provide a way to run with a security
> manager but I don't know how many app server run it by default.
> 
> The System.exit example is a good example that has come up a few times.
> There is at least one IDE that used to run with a SM so that it could
> block plugins from calling System.exit. That use case is one that
> probably needs a specific API.

Elasticsearch Server also blocks System.exit, so plugins or scripts running inside the query cannot shut down the server (it also blocks many other stuff for sandboxing everything). The main problem with implementing the exitVM permission is to make it work that you can still exit on your own �� If you forbid exiting the VM, you cannot do it on your own. (cannot be done in a policy file, because the exit permission is given by default).

This is by the way a good use case for the new StackWalker API!: The Elasticsearch (and Apache Lucene's Test Runner) SecurityManager do Thread.currentThread().getStackTrace() and then walk down the stack and only allow exiting if the right class/package is on the stack trace right before the  System/Runtime.exit() call. E.g.,

<https://github.com/elastic/securesm/blob/master/src/main/java/org/elasticsearch/SecureSM.java#L199-L249>
<https://github.com/elastic/elasticsearch/blob/master/core/src/main/java/org/elasticsearch/bootstrap/Security.java#L119>

I agree some improvements to SecurityManager around that would be good. It is really hard to implement that (only allow existing from a specific class/method), as you need to inspect stack, otherwise you cannot exit on your own... The code here is still known as "Uwe Schindler" algorithm in the community, originating from Apache Lucene and was just forked in Elasticsearch. They made a Maven package out of it (SecureSM is taking a list of packages that are allowed to exit the VM): <http://search.maven.org/#search%7Cgav%7C1%7Cg%3A%22org.elasticsearch%22%20AND%20a%3A%22securesm%22>

Uwe

More information about the jigsaw-dev mailing list