Hi, Bill:
Cc: asarch_ww members, Security team:
Yes, the one pager which have been approved to the wiki didn't take
care such security problem. The change can cause the server to access files
and network resources that the administrator might not be able to access
directly. But I think this security issue is only happen in the file://
syntax.
I think both of the administrator and server can access the source
file and network resource when it comes to the http:// syntax and
ftp://syntax, so I think it is no need to take care the security into
consideration when it comes to these situation.
[For Example]
A: glassfish server
B: glassfish server
C: ftp server
D: http server
(1) Deploy the application from the machine B(Regard A as a admin client
side, Regard B as a server side)
Execute the command line on the machine A as asadmin deployuri --host
host_address_B file:///etc/appname <file://etc/appname>, It's true that
administrator A can't access the application exist on the machine B, but
the application will be deployed to the B through this command, the
administrator of A only know the application name but don't know what exist
in the application. I don't think it will affect so much to the security.
(2) Deploy the application from the machine C
Execute the command line on the machine A as asadmin deployuri
ftp://username:password@host_C:21/appname<ftp://username:password@host_c/appname>
, I think both of the administrator and server side on the machine A can
access the application exist on the ftp server C. I think it's no need to
take the security into consideration here because both of the administrator
and server can access the source file.
(3) Deploy the application from the machine D
Execute the command line on the machine A as asadmin deployuri
http://host_address_D/appname <
http://host_address_d/appname>, I think
both of the administrator and server side on the machine A can access the
application exist on the http server D. I think it's no need to take the
security into consideration here because both of the administrator and
server can access the source file.
>Perhaps I'm being paranoid but I'd like to see some discussion about the
security implications of being able to tell >the server to access resources
that you might not be able to access directly. Certainly the check for
filename >extensions will help, but you still need to be sure to handle
cases such as "file:///etc/passwd?name=foo.ear".
I'm not sure about the file:// syntax
"file:///etc/passwd?name=foo.ear". Could
you clarify about this?
I don't think the change will affect the security too much. So I hope you
and the security team's will list more questions and discussion here.
Thanks
-Jeremy
2013/5/22 Bill Shannon <bill.shannon_at_oracle.com>
> Thanks for writing the one-pager, Jeremy!
>
> My biggest concern with this is security. It seems that with this change
> the administrator on a client machine can cause the server to access files
> and network resources that the administrator might not be able to access
> directly.
> Yes, but I think it does only happen on the "file://"
> syntax. While I think both of the server and administrator can access the
> source file and network resources during the ftp:// syntax and http://syntax.
>
> It may be true that an administrator already has many ways to cause the
> server to do things such as this, but this certainly provides a more direct
> path.
>
> What would happen in the future if we had (for example) some sort of role
> based access control where some administrators had fewer privileges than
> others? If we wanted to allow some administrators to only deploy and
> manage applications, but not stop or reconfigure the server, would it be
> safe to allow such an administrator to use this command?
>
>
Perhaps I'm being paranoid but I'd like to see some discussion about the
> security implications of being able to tell the server to access resources
> that you might not be able to access directly. Certainly the check for
> filename extensions will help, but you still need to be sure to handle
> cases such as "file:///etc/passwd?name=foo.ear".
>
> What do our security experts think?
>
>
> ƽ wrote on 05/21/13 04:49:
>
> Hi, Hong:
> Cc: Bill, asarch_ww members:
>
> I want to request an asarch review for enhancement of deploy
> command to support URI operand in GlassFish. There were some previous
> discussions on the enhancement (Sahoo, Tom were also involved), and Tom
> suggested it might be good to let asarch review the proposal as well.
>
> I have written up the proposal in one pager format and posted here:
> https://wikis.oracle.com/display/GlassFish/Production+DeployUri+One+pager
>
> Thanks!
>
> -Jeremy
>
>
>