Skip to content

Use a private directory for temporary files #27144

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 3 commits into from
Closed

Use a private directory for temporary files #27144

wants to merge 3 commits into from

Conversation

@droberts195
Copy link

@droberts195 droberts195 commented Oct 27, 2017

This change ensures that the contents of the directory where Elasticsearch
creates temporary files can only be listed by the user that Elasticsearch
is running as.

(The temporary files themselves are already read/write for only the user
that Elasticsearch is running as. The extra protection this change adds is
for the visibility of the file names.)

This is currently a work in progress as it causes the evil security tests to
fail.

@droberts195 droberts195 added :Core/Infra/Core Core issues without another label WIP labels Oct 27, 2017
s1monw
s1monw reviewed Oct 27, 2017
View reviewed changes
Copy link
Contributor

@s1monw s1monw left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I left some initial thoughts

core/src/main/java/org/elasticsearch/bootstrap/Bootstrap.java Outdated
Copy link
Contributor

@s1monw s1monw Oct 27, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am not sure we should try to clean up stuff in here. We didn't do this for the java.nio.tmpdir so I am not sure we should do this here.

core/src/main/java/org/elasticsearch/env/Environment.java Outdated
Copy link
Contributor

@s1monw s1monw Oct 27, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It feels like this is the wrong place to do this. I think we should do this in Bootstrap and then just pass a Path tmpDir to InternalSettingsPreparer#prepareEnvironment and make sure it's mandatory for all instances of environment that are not the single arg ctor. Btw. it feels like there are some sleeping bugs if this ctor is used in prod code.

core/src/main/java/org/elasticsearch/env/Environment.java Outdated
Copy link
Contributor

@s1monw s1monw Oct 27, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we really need this or would the tmpFile be enough?

Copy link
Author

@droberts195 droberts195 Oct 27, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The only place it's used is in the security manager setup so that the security manager allows access to java.io.tmpdir, not just the new sub-directory below it. The reason I thought this would be a good idea is that there could be a 3rd party Elasticsearch plugin that uses a Java library that assumes it can use java.io.tmpdir. At the moment this would work, but if we changed our security manager rules to disallow access to java.io.tmpdir then any such plugins would stop working.

I can achieve this differently so that java.io.tmpdir is not made available by the Environment class, but the security manager still allows access to it for the benefit of Java libraries used by 3rd party plugins. Or I can just leave the security manager setup as it was so that everything that wants a temp directory has to use Environment.tmpFile(). Do you have a preference?

Copy link
Contributor

@s1monw s1monw Oct 29, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can't you just use the system property in the security manager instead?

David Roberts added 3 commits October 30, 2017 08:51
Use a private directory for temporary files
fdbc53b 
This change ensures that the contents of the directory where Elasticsearch
creates temporary files can only be listed by the user that Elasticsearch
is running as.

(The temporary files themselves are already read/write for only the user
that Elasticsearch is running as.  The extra protection this change adds is
for the visibility of the file names.)
Revert "Use a private directory for temporary files"
04a9f69 
This reverts commit fdbc53b.
Change approach to pass temp directory to Environment
a0009f5
@droberts195 droberts195 force-pushed the private_temp_directory branch from 4b5b6a7 to a0009f5 Compare October 30, 2017 17:52
@droberts195
Copy link
Author

droberts195 commented Nov 30, 2017

A different approach will be used that achieves the same result with far fewer code changes, hence closing this.

@jasontedor jasontedor mentioned this pull request Nov 30, 2017
Merged
@droberts195 droberts195 deleted the private_temp_directory branch April 25, 2018 13:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@s1monw s1monw s1monw left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

:Core/Infra/Core Core issues without another label WIP

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@droberts195 @s1monw