Opened 6 years ago

Closed 4 years ago

#1580 closed defect (done)

Permission set granted for sandboxed application domains is not secure

Reported by: gkronber Owned by: gkronber
Priority: high Milestone: HeuristicLab 3.3.8
Component: Hive.Slave Version: 3.3.8
Keywords: Cc:

Description (last modified by gkronber)

Related to ticket #831

To make the sandbox more secure the following permissions should be removed in future versions:

  • SecurityPermissionFlag.Infrastructure
  • SecurityPermissionFlag.UnmanagedCode
  • SecurityPermissionFlag.ControlEvidence
  • ReflectionPermission(PermissionState.Unrestricted)
  • FileIOPermissionAccess.PathDiscovery, Path.GetPathRoot(Path.GetFullPath(Environment.SystemDirectory))

also see: http://msdn.microsoft.com/en-us/library/system.security.permissions.securitypermissionflag.aspx

This must be fixed before Hive is released.

Change History (14)

comment:1 Changed 6 years ago by gkronber

  • Summary changed from Permission set granted for sandboxed AppDomains is not secure to Permission set granted for sandboxed application domains is not secure

comment:2 Changed 6 years ago by gkronber

  • Description modified (diff)

comment:3 Changed 6 years ago by gkronber

  • Description modified (diff)

comment:4 Changed 6 years ago by gkronber

  • Owner changed from gkronber to ascheibe
  • Status changed from new to assigned

comment:5 Changed 6 years ago by ascheibe

  • Milestone changed from HeuristicLab 3.3.6 to HeuristicLab 3.3.7

comment:6 Changed 5 years ago by ascheibe

  • Milestone changed from HeuristicLab 3.3.7 to HeuristicLab 3.3.x Backlog

We should also change the account with which the slave service is executed from SYSTEM to NETWORK to gain additional security.

comment:7 Changed 5 years ago by ascheibe

r8340 changed user account for executing the slave service to NetworkService (thanks jkarder for the patch)

comment:8 follow-up: Changed 5 years ago by ascheibe

I think it is difficult to remove the above mentioned permissions and still be able to run HeuristicLab plugins in the sandbox. I have changed the user under which the slave service is executed in r8340 to NetworkService. This should give us more security compared to the LocalSystem account which was used before. The Internet says: "The Network Service account has the same level of access to resources and objects as members of the Users group." I don't know if this is enough, maybe you can comment on that gkronber?

comment:9 Changed 5 years ago by ascheibe

  • Milestone changed from HeuristicLab 3.3.x Backlog to HeuristicLab 3.3.8

comment:10 in reply to: ↑ 8 Changed 5 years ago by gkronber

Replying to ascheibe:

I think it is difficult to remove the above mentioned permissions and still be able to run HeuristicLab plugins in the sandbox. I have changed the user under which the slave service is executed in r8340 to NetworkService. This should give us more security compared to the LocalSystem account which was used before. The Internet says: "The Network Service account has the same level of access to resources and objects as members of the Users group." I don't know if this is enough, maybe you can comment on that gkronber?

Using the NetworkService is reasonable. I think the security concerns can be handled by only allowing trusted users to run jobs in the Hive. Anyway any permission that is not strictly required should be removed if possible. I'm not sure why we unmanaged code, control evidence and path discovery permissions. Please let us discuss this in the upcoming architects meeting.

comment:11 Changed 5 years ago by ascheibe

  • Owner changed from ascheibe to gkronber
  • Status changed from assigned to reviewing

comment:12 Changed 5 years ago by gkronber

  • Status changed from reviewing to readytorelease

The issue has been discussed in the architects meeting. As we are careful who is allowed to submit hive jobs the current sandboxing scheme in combination with limiting the hive client to NetworkService rights is sufficient.

comment:13 Changed 5 years ago by abeham

  • Component changed from PluginInfrastructure to Hive.Slave

I change the component to Hive.Slave since the PluginInfrastructure remained unaffected.

comment:14 Changed 4 years ago by swagner

  • Resolution set to done
  • Status changed from readytorelease to closed
  • Version changed from 3.3.5 to 3.3.8
Note: See TracTickets for help on using tickets.