[opencms-dev] Newbie Install Help : Permissions
Jonathan Woods
jonathan.woods at scintillance.com
Sat Oct 7 18:39:58 CEST 2006
Well, you know a lot more about this than I do! I confess that I have been
known to grant all permissions to Java (i.e. I don't run with a security
manager), and I rely instead on Unix security. The Java process runs as a
severely limited user, and therefore it can attempt what it likes without
much compromising anything else. So I guess what I'm saying is... would
that be enough for you? You could then turn off JVM-level security
altogether, though I agree it's better to be as complete as possible.
Or more palatably, you could turn off JVM security while developing, at
least making some visible progress, and hopefully keep your fledgling
OpenCms installation closed to the world at large. Maybe the JVM security
answer would come in time for opening things up.
Jon
-----Original Message-----
From: opencms-dev-bounces at opencms.org
[mailto:opencms-dev-bounces at opencms.org] On Behalf Of Sam Batschelet
Sent: 07 October 2006 16:33
To: OpenCMS
Subject: Re: [opencms-dev] Newbie Install Help : Permissions
On 10/7/06 10:52 AM, "Jonathan Woods" <jonathan.woods at scintillance.com>
wrote:
> From a bit of Googling on the exception trace (the BeanUtils carp
> about not being able to access something or other) it does look like
> restrictive security permissions are the problem. Security perms may
> be set on the Java invocation which fires up the Sun app server (i.e.
> on the command line or in properties files which it refers to) or else
> they're buried deep in app server config.
>
> Is this any help?:
> http://docs.sun.com/app/docs/doc/819-3659/6n5s6m58n?a=view
>
> Jon
Jon,
Yes that doc is helpful as it does outline the guidelines to what I have
been hacking around from google examples. But the problem is that I have
set these permissions for the files that are being complained about
opencms-vfs.xml . It seems more involved than actually reading the XML
config file. Here is my server file <below>. Now this is very random and
messy because I am adding these from things I have read. Some have unlocked
problems but I still have a few. Is there a document which highlights the
necessary security perms for opencms? I know some of this is very
promiscuous and possibly very wrong but it seems like these perms should be
outlined in the docs which I haven't found. Thanks again Jon for your time.
grant {
permission java.lang.RuntimePermission
"setIO";
permission java.lang.RuntimePermission
"createClassLoader";
permission java.lang.RuntimePermission
"getClassLoader";
permission java.lang.RuntimePermission
"exitVM";
permission java.lang.RuntimePermission
"setFactory";
permission java.lang.RuntimePermission
"modifyThread";
permission java.lang.RuntimePermission
"modifyThreadGroup";
permission java.lang.RuntimePermission
"getProtectionDomain";
permission java.lang.RuntimePermission
"setProtectionDomain";
permission java.lang.RuntimePermission
"readFileDescriptor";
permission java.lang.RuntimePermission
"writeFileDescriptor";
};
grant {
permission java.util.PropertyPermission "java.vm.info", "read";
};
// Core server classes get all permissions by default grant codeBase
"file:${com.sun.aas.installRoot}/lib/-" {
permission java.security.AllPermission; };
// Basic set of required permissions granted to all remaining code grant {
permission java.lang.RuntimePermission "loadLibrary.*";
permission java.lang.RuntimePermission "queuePrintJob";
permission java.net.SocketPermission "*", "connect";
permission java.io.FilePermission "<<ALL FILES>>",
"read,write,delete";
permission java.io.FilePermission
"/opt/SUNWappserver/domains/domain1/applications/j2ee-modules/opencms" ,
"read,write";
permission java.io.FilePermission
"/opt/SUNWappserver/domains/domain1/applications/applications/j2ee-modules/o
pencms/-", "read";
permission java.io.FilePermission
"/opt/SUNWappserver/domains/domain1/applications/j2ee-modules/opencms/export
", "write, delete";
permission java.io.FilePermission
"/opt/SUNWappserver/domains/domain1/applications/j2ee-modules/opencms/pics/s
ystem", "write";
permission java.io.FilePermission
"/opt/SUNWappserver/domains/domain1/applications/j2ee-modules/opencms/pics/"
, "write";
permission java.io.FilePermission
"/opt/SUNWappserver/domains/domain1/applications/j2ee-modules/opencms/WEB-IN
F/logs/opencms.log", "read, write";
permission java.io.FilePermission
"/opt/SUNWappserver/domains/domain1/applications/j2ee-modules/opencms/WEB-IN
F/-", "read,write,delete";
permission java.io.FilePermission
"/opt/SUNWappserver/domains/domain1/generated/xml/j2ee-modules/opencms/-",
"read,write";
permission java.io.FilePermission
"/opt/SUNWappserver/domains/domain1/generated/xml/j2ee-modules/opencms/WEB-I
NF/-", "read,write";
permission java.io.FilePermission
"/opt/SUNWappserver/domains/domain1/applications/j2ee-modules/opencms/WEB-IN
F/config/-", "read,write";
permission java.io.FilePermission
"/opt/SUNWappserver/domains/domain1/applications/j2ee-modules/opencms/WEB-IN
F/occlasses/-", "read,write";
permission java.io.FilePermission
"/opt/SUNWappserver/domains/domain1/applications/j2ee-modules/opencms/WEB-IN
F/oclib", "read,write";
permission java.io.FilePermission
"/opt/SUNWappserver/domains/domain1/applications/j2ee-modules/opencms/WEB-IN
F/web.xml", "read, write";
permission java.io.FilePermission
"/opt/SUNWappserver/domains/domain1/applications/j2ee-modules/opencms/WEB-IN
F/export", "read, write";
permission java.io.FilePermission
"/opt/SUNWappserver/domains/domain1/applications/j2ee-modules/opencms/WEB-IN
F/export/-", "read, write";
permission java.io.FilePermission
"/opt/SUNWappserver/domains/domain1/applications/j2ee-modules/opencms/WEB-IN
F/config/-", "read, write";
permission java.io.FilePermission
"/opt/SUNWappserver/domains/domain1/applications/j2ee-modules/opencms/WEB-IN
F/packages/modules/-", "read, write";
permission java.io.FilePermission
"/opt/SUNWappserver/domains/domain1/autodeploy/-", "read,write,delete";
permission java.io.FilePermission
"/opt/SUNWappserver/domains/domain1/autodeploy/opencms", "read,write";
permission java.io.FilePermission
"/opt/SUNWappserver/domains/domain1/applications/j2ee-modules/opencms",
"read,write";
permission java.io.FilePermission
"/opt/SUNWappserver/domains/domain1/applications/j2ee-modules/-",
"read,write";
permission java.io.FilePermission
"/opt/SUNWappserver/domains/domain1/applications/j2ee-modules/opencms/-",
"read,write,delete";
permission java.io.FilePermission
"/opt/SUNWappserver/domains/domain1/applications/j2ee-modules/opencms/WEB-IN
F/lib/leadtracker.jar", "read";
permission java.io.FilePermission
"/opt/SUNWappserver/domains/domain1/applications/j2ee-modules/opencms/WEB-IN
F/lib/mm.mysql-2.0.4-bin.jar", "read";
permission java.io.FilePermission
"/opt/SUNWappserver/domains/domain1/applications/j2ee-modules/opencms/WEB-IN
F/lib/opencmsboot.jar", "read";
//permission java.io.FilePermission "/usr/java/jdk1.5.0_09/lib/tools.jar",
"read";
//permission java.io.FilePermission "/usr/java/jdk1.5.0_09/jre/lib/rt.jar",
"read";
//permission java.io.FilePermission
"/usr/java/jdk1.5.0_09/jre/lib/jsse.jar", "read"; //permission
java.io.FilePermission "/usr/java/jdk1.5.0_09/jre/lib/charsets.jar", "read";
//permission java.io.FilePermission
"/usr/java/jdk1.5.0_09/jre/lib/ext/localedata.jar", "read"; //permission
java.io.FilePermission "/usr/java/jdk1.5.0_09/jre/lib/plugin.jar", "read";
//permission java.io.FilePermission
"/usr/java/jdk1.5.0_09/jre/lib/javaws.jar", "read"; //permission
java.io.FilePermission "/usr/java/jdk1.5.0_09/jre/lib/deploy.jar", "read";
// work-around for pointbase bug 4864405
permission java.io.FilePermission
"${com.sun.aas.instanceRoot}${/}lib${/}databases${/}-", "delete";
permission java.io.FilePermission "${java.io.tmpdir}${/}-",
"delete";
permission java.util.PropertyPermission "*", "read, write, delete";
permission java.lang.RuntimePermission "modifyThreadGroup"; };
// Following grant block is only required by Connectors. If Connectors //
are not in use the recommendation is to remove this grant.
grant {
permission javax.security.auth.PrivateCredentialPermission
"javax.resource.spi.security.PasswordCredential * \"*\"","read,write"; };
// Following grant block is only required for Reflection. If Reflection //
is not in use the recommendation is to remove this section.
grant {
permission java.lang.RuntimePermission "accessDeclaredMembers"; };
_______________________________________________
This mail is sent to you from the opencms-dev mailing list To change your
list options, or to unsubscribe from the list, please visit
http://lists.opencms.org/mailman/listinfo/opencms-dev
More information about the opencms-dev
mailing list