Permission set granted for sandboxed application domains is not secure

[gkronber]

Related to ticket #831

To make the sandbox more secure the following permissions should be removed in future versions:

• SecurityPermissionFlag.Infrastructure
• SecurityPermissionFlag.UnmanagedCode
• SecurityPermissionFlag.ControlEvidence
• ReflectionPermission(PermissionState.Unrestricted)
• FileIOPermissionAccess.PathDiscovery, Path.GetPathRoot(Path.GetFullPath(Environment.SystemDirectory))

also see: ​http://msdn.microsoft.com/en-us/library/system.security.permissions.securitypermissionflag.aspx

This must be fixed before Hive is released.

[ascheibe]

We should also change the account with which the slave service is executed from SYSTEM to NETWORK to gain additional security.

[ascheibe]

r8340 changed user account for executing the slave service to NetworkService (thanks jkarder for the patch)

[ascheibe]

I think it is difficult to remove the above mentioned permissions and still be able to run HeuristicLab plugins in the sandbox. I have changed the user under which the slave service is executed in r8340 to NetworkService. This should give us more security compared to the LocalSystem account which was used before. The Internet says: "The Network Service account has the same level of access to resources and objects as members of the Users group." I don't know if this is enough, maybe you can comment on that gkronber?

[gkronber]

Replying to ascheibe:

I think it is difficult to remove the above mentioned permissions and still be able to run HeuristicLab plugins in the sandbox. I have changed the user under which the slave service is executed in r8340 to NetworkService. This should give us more security compared to the LocalSystem account which was used before. The Internet says: "The Network Service account has the same level of access to resources and objects as members of the Users group." I don't know if this is enough, maybe you can comment on that gkronber?

Using the NetworkService is reasonable. I think the security concerns can be handled by only allowing trusted users to run jobs in the Hive. Anyway any permission that is not strictly required should be removed if possible. I'm not sure why we unmanaged code, control evidence and path discovery permissions. Please let us discuss this in the upcoming architects meeting.

[gkronber]

The issue has been discussed in the architects meeting. As we are careful who is allowed to submit hive jobs the current sandboxing scheme in combination with limiting the hive client to NetworkService rights is sufficient.

[abeham]

I change the component to Hive.Slave since the PluginInfrastructure remained unaffected.