Introduction / FirstSpirit Server configuration / Additional security measures / Protect execution of external processes
Preventing critical safety call in scripts and templates
| Table of contents |
FirstSpirit offers the option of executing external classes and processes in various areas, for example:
- Via scripts (see Executing scripts) or
- Via functions in the FirstSpirit templates (see Functions in templates (FirstSpirit Online Documentation)).
As a matter of principle, these dynamic contents are always a weak point for attacks. Misuse enables unprotected access to these functions:
- Stopping the FirstSpirit Server and / or
- Access to project and server files in the file system (reading and writing)
Limiting permissions for script engines (default configuration)
To ensure smooth and safe operation of FirstSpirit Servers, all calls are executed via the script engines (for Beanshell, FirstSpirit template code) in the default configuration with restricted permissions and calling critical safety functions is prevented (both on the client and server side).
In the default configuration, the following calls are prevented:
- System.exit (stopping Java VM)
- System.setSecurityManger (changing the FirstSpirit Security Manager)
Changing default configuration (optional)
By creating a fs-script.policy configuration file in the conf sub-directory of the FirstSpirit server, it is possible to configure other permissions for the script engine (to remove them in this case).
The policy file supports an extended syntax (global grand and deny section, priority).
Extended syntax of Java Policy File syntax:
- Priority “deny”: Access is allowed if it is not forbidden _and_ is defined as allowed.
- Priority “grant”: Access is allowed if it is defined as allowed _or_ is not forbidden.
See http://pro-grade.sourceforge.net/pro-grade.html#Decision_making_table
The permissions correspond with the Java Permissions default.
Not supported are:
- Keystores
- CodeSource or
- Principals
 |
When using an external application server, a security manager must be configured in it. Otherwise the policy file is not evaluated. |
Additional documentation (external):
- http://pro-grade.sourceforge.net/pro-grade.html#Policy_files
- https://github.com/pro-grade/pro-grade#work-with-denying-rules
- https://docs.oracle.com/javase/8/docs/technotes/guides/security/permissions.html
The default configuration corresponds to this file:
priority "deny";
deny {
permission java.lang.RuntimePermission "exitVM.*";
permission java.lang.RuntimePermission "setSecurityManager";
}
grant {
permission java.security.AllPermission;
};
Example of an extended configuration with limited file rights:
priority "grant";
grant {
permission java.io.FilePermission "/tmp/*", "read,write";
permission java.io.FilePermission "/home/user_x/-", "read";
};
deny {
permission java.lang.RuntimePermission "exitVM.*";
permission java.lang.RuntimePermission "setSecurityManager";
permission java.io.FilePermission "<<ALL FILES>>", "read,write";
}
Access to the following files is allowed in the example configuration:
- All files directly in the /tmp directory (reading and writing),
- All files in the /home/user_x directory and in all sub-directories (only reading)
The permissions have been removed for all other files. In doing so, all access to files via scripts or from the FirstSpirit template code is prevented.