Skip to content

executable jar security problem (launch.script) #4935

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
ivnik opened this issue Jan 13, 2016 · 5 comments
Closed

executable jar security problem (launch.script) #4935

ivnik opened this issue Jan 13, 2016 · 5 comments
Assignees
@wilkinsona
Labels
type: documentation A documentation update
Milestone
1.3.2

Comments

@ivnik
Copy link

ivnik commented Jan 13, 2016

I created an executable jar with spring boot (spring-boot-maven-plugin, true)
When run as the init.d service (as root), script executes .conf file with root privileges.

[[ -r "${jarfolder}/${configfile}" ]] && source "${jarfolder}/${configfile}"

man bash:

       source filename [arguments]
              Read  and  execute  commands from filename in the current shell environment and return the exit status of the last command executed from filename.
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Jan 13, 2016
@wilkinsona
Copy link
Member

Given that you control the contents of the .conf file, its ownership and its permissions, why do you consider this to be a security problem? When installing the service, I'd make root the owner of the .conf file and make it read-only.

@wilkinsona wilkinsona added status: waiting-for-feedback We need additional information before we can continue and removed status: waiting-for-triage An issue we've not yet triaged labels Jan 13, 2016
@ivnik
Copy link
Author

ivnik commented Jan 14, 2016

Ok. It may be worth writing in the documentation that the conf file owner must file to be root not writable to any user (and folder where jar placed should also can not be writable to any user). Or may be check ownership/acl before execute conf file?

And what about executable jar owned by user? If my java app hacked by somebody, hacker can overwrite my executable jar and obtain root privileges after system restart.

@spring-projects-issues spring-projects-issues added status: feedback-provided Feedback has been provided and removed status: waiting-for-feedback We need additional information before we can continue labels Jan 14, 2016
@wilkinsona
Copy link
Member

And what about executable jar owned by user? If my java app hacked by somebody, hacker can overwrite my executable jar and obtain root privileges after system restart.

You should lock the file down to prevent it from being changed. For example, you could use chattr +i to make it immutable. Note that using chmod isn't sufficient as the owner of the file, if compromised, could make it writable again. Even if the user is locked down and prevented from using chmod, that user still has to be able to launch the JVM which, via the Java 7 Files API, could change the permissions of the file.

We'll make some updates to the documentation to describe these best practices.

@wilkinsona wilkinsona added type: documentation A documentation update and removed status: feedback-provided Feedback has been provided labels Jan 15, 2016
@wilkinsona wilkinsona added this to the 1.3.2 milestone Jan 15, 2016
@wilkinsona wilkinsona self-assigned this Jan 15, 2016
@ivnik
Copy link
Author

ivnik commented Jan 15, 2016

The conf file must also exists and be write protected via chattr for the same reason. May be check ownership & chattr +i flag before execute conf file?

@wilkinsona
Copy link
Member

The conf file must also exists and be write protected via chattr for the same reason

That's not the case. You don't have to use a .conf file. If you do, and you're running the service as root, then it's sufficient for it to be owned by root and to only be readable by root.

May be check ownership & chattr +i flag before execute conf file?

That's too strong an opinion for the launch script to take. You may not be running the app as root, e.g. you might be executing the app directly, rather than via init.d. Furthermore, there are also other ways to secure things other than using chattr that may be more appropriate for a particular user's environment.

php-coder added a commit to php-coder/mystamps that referenced this issue Aug 7, 2016
@php-coder
Use systemd for managing service.
801073a 
@see commit a889546
@see https://www.freedesktop.org/software/systemd/man/systemd.service.html
@see https://www.freedesktop.org/software/systemd/man/systemd.directives.html
@see http://docs.spring.io/spring-boot/docs/1.3.x/reference/html/deployment-install.html#deployment-systemd-service
@see http://journal.thobe.org/2013/02/jvms-and-kill-signals.html

A couple of links about unsecure behavior of the default init-script:
@see https://habrahabr.ru/post/275203/ (in Russian)
@see spring-projects/spring-boot#4935

Addressed to #399

[ci skip]
cssru pushed a commit to cssru/mystamps that referenced this issue Aug 24, 2016
@php-coder @cssru
Use systemd for managing service.
d428041 
@see commit a889546
@see https://www.freedesktop.org/software/systemd/man/systemd.service.html
@see https://www.freedesktop.org/software/systemd/man/systemd.directives.html
@see http://docs.spring.io/spring-boot/docs/1.3.x/reference/html/deployment-install.html#deployment-systemd-service
@see http://journal.thobe.org/2013/02/jvms-and-kill-signals.html

A couple of links about unsecure behavior of the default init-script:
@see https://habrahabr.ru/post/275203/ (in Russian)
@see spring-projects/spring-boot#4935

Addressed to php-coder#399

[ci skip]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@wilkinsona wilkinsona

Labels
type: documentation A documentation update
Projects
None yet
Milestone
1.3.2
Development

No branches or pull requests
3 participants
@wilkinsona @ivnik @spring-projects-issues