Opened 13 years ago
Closed 12 years ago
#1580 closed defect (done)
Permission set granted for sandboxed application domains is not secure
Reported by: | gkronber | Owned by: | gkronber |
---|---|---|---|
Priority: | high | Milestone: | HeuristicLab 3.3.8 |
Component: | Hive.Slave | Version: | 3.3.8 |
Keywords: | Cc: |
Description (last modified by gkronber)
Related to ticket #831
To make the sandbox more secure the following permissions should be removed in future versions:
- SecurityPermissionFlag.Infrastructure
- SecurityPermissionFlag.UnmanagedCode
- SecurityPermissionFlag.ControlEvidence
- ReflectionPermission(PermissionState.Unrestricted)
- FileIOPermissionAccess.PathDiscovery, Path.GetPathRoot(Path.GetFullPath(Environment.SystemDirectory))
also see: http://msdn.microsoft.com/en-us/library/system.security.permissions.securitypermissionflag.aspx
This must be fixed before Hive is released.
Change History (14)
comment:1 Changed 13 years ago by gkronber
- Summary changed from Permission set granted for sandboxed AppDomains is not secure to Permission set granted for sandboxed application domains is not secure
comment:2 Changed 13 years ago by gkronber
- Description modified (diff)
comment:3 Changed 13 years ago by gkronber
- Description modified (diff)
comment:4 Changed 13 years ago by gkronber
- Owner changed from gkronber to ascheibe
- Status changed from new to assigned
comment:5 Changed 13 years ago by ascheibe
- Milestone changed from HeuristicLab 3.3.6 to HeuristicLab 3.3.7
comment:6 Changed 12 years ago by ascheibe
- Milestone changed from HeuristicLab 3.3.7 to HeuristicLab 3.3.x Backlog
comment:7 Changed 12 years ago by ascheibe
r8340 changed user account for executing the slave service to NetworkService (thanks jkarder for the patch)
comment:8 follow-up: ↓ 10 Changed 12 years ago by ascheibe
I think it is difficult to remove the above mentioned permissions and still be able to run HeuristicLab plugins in the sandbox. I have changed the user under which the slave service is executed in r8340 to NetworkService. This should give us more security compared to the LocalSystem account which was used before. The Internet says: "The Network Service account has the same level of access to resources and objects as members of the Users group." I don't know if this is enough, maybe you can comment on that gkronber?
comment:9 Changed 12 years ago by ascheibe
- Milestone changed from HeuristicLab 3.3.x Backlog to HeuristicLab 3.3.8
comment:10 in reply to: ↑ 8 Changed 12 years ago by gkronber
Replying to ascheibe:
I think it is difficult to remove the above mentioned permissions and still be able to run HeuristicLab plugins in the sandbox. I have changed the user under which the slave service is executed in r8340 to NetworkService. This should give us more security compared to the LocalSystem account which was used before. The Internet says: "The Network Service account has the same level of access to resources and objects as members of the Users group." I don't know if this is enough, maybe you can comment on that gkronber?
Using the NetworkService is reasonable. I think the security concerns can be handled by only allowing trusted users to run jobs in the Hive. Anyway any permission that is not strictly required should be removed if possible. I'm not sure why we unmanaged code, control evidence and path discovery permissions. Please let us discuss this in the upcoming architects meeting.
comment:11 Changed 12 years ago by ascheibe
- Owner changed from ascheibe to gkronber
- Status changed from assigned to reviewing
comment:12 Changed 12 years ago by gkronber
- Status changed from reviewing to readytorelease
The issue has been discussed in the architects meeting. As we are careful who is allowed to submit hive jobs the current sandboxing scheme in combination with limiting the hive client to NetworkService rights is sufficient.
comment:13 Changed 12 years ago by abeham
- Component changed from PluginInfrastructure to Hive.Slave
I change the component to Hive.Slave since the PluginInfrastructure remained unaffected.
comment:14 Changed 12 years ago by swagner
- Resolution set to done
- Status changed from readytorelease to closed
- Version changed from 3.3.5 to 3.3.8
We should also change the account with which the slave service is executed from SYSTEM to NETWORK to gain additional security.