Introduction / FirstSpirit Server configuration / Configuration files (FirstSpirit Server) / Execution constraints configuration (fs-exec.conf)
Execution constraints configuration (fs-exec.conf)
| Table of contents |
The file fs-exec.conf is located in <FirstSpirit Server>/conf/ and contains the configuration for execution constraints applied to scripts and templates. These constraints protect the server against unintended or harmful operations that could be executed from script or template code.
By default, the file fs-exec.conf is not present in the conf directory. In this case, the server uses the internally defined default values. The file only needs to be created manually in the <FirstSpirit Server>/conf/ directory when a customised configuration is required. Only the values that differ from the defaults need to be specified — all unspecified values are inherited from the default configuration.
Changes to the file fs-exec.conf are detected at runtime and reloaded automatically. A server restart is not required.
The execution constraints can be disabled entirely via the parameter execControlConstraints in fs-server.conf (see Area: Server).
Constraints
Three constraints are available, each of which can be enabled or disabled independently:
- RuntimeExitConstraint: Prevents calls to System.exit(), System.halt(), Runtime.exit() and Runtime.halt(). This prevents scripts or templates from terminating the entire server process.
- ServerFileConstraint: Restricts access to files within the FirstSpirit Server file system. A blacklist is used: files matching any of the configured patterns are blocked from access.
Additionally, files to be protected can be configured with the following pattern:
ServerFileConstraint.matcher.NN=<Pfad in Glob Syntax>
Numbers starting from 20 should be used for NN. - ProcessStartConstraint: Restricts the creation of external processes (e.g. via
ProcessBuilder or ProcessAgent). A whitelist is used: only executable files whose path matches one of the configured patterns may be started.
ProcessStartConstraint.matcher.NN=<Pfad in Glob Syntax>
Numbers starting from 10 should be used for NN.
Execution contexts
The configuration can be differentiated per execution context. The [default] section defines the default values for all contexts. A named section (e.g. [Invoker]) selectively overrides individual values for the respective context.
The following contexts are defined:
- BeanshellExecutable: BeanShell scripts (e.g. script actions in schedules, scripts in SiteArchitect/ContentCreator)
- Invoker: Template execution (e.g. during generation or preview)
Example: To allow process creation by default but forbid it from templates:
[default]
ProcessStartConstraint.enabled=false
[Invoker]
ProcessStartConstraint.enabled=true
Default configuration
If there is no fs-exec.conf file in the conf directory, the following default values apply:
[default]
# Prohibiting System.exit() and Runtime.halt()
RuntimeExitConstraint.enabled=true
# Restrict access to protected server files (Blacklist)
ServerFileConstraint.enabled=true
# data directory
ServerFileConstraint.matcher.01=${cmsroot}/data/**/*.xml
ServerFileConstraint.matcher.02=${cmsroot}/data/**/*_backup*
# bin directory
ServerFileConstraint.matcher.03=${cmsroot}/bin/fs-server*
ServerFileConstraint.matcher.04=${cmsroot}/bin/wrapper*
ServerFileConstraint.matcher.05=${cmsroot}/bin/sysinfo*
ServerFileConstraint.matcher.06=${cmsroot}/bin/*.jar
ServerFileConstraint.matcher.07=${cmsroot}/bin/*.exe
# conf directory
ServerFileConstraint.matcher.08=${cmsroot}/conf/fs-jaas.*
ServerFileConstraint.matcher.09=${cmsroot}/conf/fs-wrapper.*
ServerFileConstraint.matcher.10=${cmsroot}/conf/fs-exec.*
ServerFileConstraint.matcher.11=${cmsroot}/conf/**/*_backup*
# Restrict process creation (Whitelist)
ProcessStartConstraint.enabled=true
ProcessStartConstraint.matcher.01=${cmsroot}/shared/bin/*
Constraint configuration
RuntimeExitConstraint.enabled
Enables or disables the check for System.exit() and Runtime.halt() calls.
Permitted values
- true (active; default value)
- false (disabled)
ServerFileConstraint.enabled
Enables or disables the check for access to protected files in the server file system.
Permitted values
- true (active; default value)
- false (disabled)
ServerFileConstraint.matcher.NN
Defines a path pattern for the file access blacklist.
NN is a two-digit sequential number starting (e.g. 20, 21). Files matching any of these patterns are blocked for scripts and templates. Glob syntax is used. ${cmsroot} is replaced with the absolute path of the FirstSpirit Server.
ProcessStartConstraint.enabled
Enables or disables the check for external process creation.
Permitted values
- true (active; default value:)
- false (disabled)
ProcessStartConstraint.matcher.NN
Defines a path pattern for the whitelist of permitted executable files.
NN is a two-digit sequential number (e.g. 10, 11). Only files matching any of these patterns are allowed to be started by scripts and templates.
By default, only the directory <FirstSpirit Server>/shared/bin/ is permitted.
Allowing external processes
If external processes need to be started from scripts or templates, there are three options:
- Place the executable file (or a script or symbolic link) in the <FirstSpirit Server>/shared/bin/ directory. This directory is already permitted in the default configuration.
- Extend the whitelist by adding additional ProcessStartConstraint.matcher.NN entries in fs-exec.conf.
- Disable the process creation check entirely via ProcessStartConstraint.enabled=false.
 |
External processes run under the operating system user of the FirstSpirit Server and are not subject to any further restrictions by the execution constraints. Therefore, a started process has the same permissions as the FirstSpirit Server process itself. |
|
The first element of the process command is checked against the whitelist. The command must be passed as a separate element — combining the path and arguments into a single string will not be recognized as a permitted path. |