History | Log In     View a printable version of the current page.  
   HOME       BROWSE PROJECT       FIND ISSUES   
    QUICK SEARCH:  
Issue Details (XML | Word | Printable)

Key: RHQ-586
Type: Bug Bug
Status: Closed Closed
Resolution: Fixed
Priority: Critical Critical
Assignee: Jay Shaughnessy
Reporter: Jay Shaughnessy
Votes: 0
Watchers: 0
Operations

If you were logged in you would be able to see more operations.
RHQ Project

Protect against cyclic symbolic link following

Created: 17/Jun/08 10:22 AM   Updated: 18/Jun/08 02:02 PM
Component/s: None
Affects Version/s: 1.0
Fix Version/s: 1.0.1

Time Tracking:
Not Specified

Environment: LINUX, UNIX

Resolution Date: 18/Jun/08 10:42 AM
Date of First Response: 18/Jun/08 01:44 PM
Tester: Wilfred Itte


 Description  « Hide
Opened for Issue 185521 (https://enterprise.redhat.com/issue-tracker/?module=issues&action=view&tid=185521)

When discovering scripts the JBAS plugin follows symbolic links defined on *NIX platforms. This has the potential to recurse infinitely if the customer has a circularity defined. We need to protect against this situation here and potentially other places.




 All   Comments   Work Log   Change History      Sort Order: Ascending order - Click to sort in descending order
[ Permlink | « Hide ]
Jay Shaughnessy - 17/Jun/08 10:25 AM
r10064 protected against circularity when discovering scripts (due to symbolic links defined on the agent). Needs to be tested on *NIX environment and also need to look for other areas this may occur.

[ Permlink | « Hide ]
Jay Shaughnessy - 17/Jun/08 01:52 PM

Other tree-walking:

* org.rhq.core.pluginapi.util.FileUtils.purge() may also need symlink protection. In this case we probably don't want to follow symlinks, just delete them.

* org.rhq.enterprise.server.plugin.content.ContentSourcePluginClassLoader may need it for its (near duplicate) purge method.

* ServerInformation in the installer also recursively walks dir trees but I think this is safe since we're under control of the file structure being worked on.

I don't want to make changes here given the proximity of the 2.0.1 release and the fact that this code is not tied to any reported issues. It should be addressed soon after release.

[ Permlink | « Hide ]
Jay Shaughnessy - 18/Jun/08 08:49 AM
A tech note from Ian re: detecting symlinks, which is not fully supported in Java:

Note, if you did want to determine if something was a symlink, you could also always use SIGAR:

Sigar sigar = new Sigar();
FileInfo fileInfo sigar.getFileInfo(file.getPath());
if (fileInfo.getType() == FileInfo.TYPE_LNK) {
   // file is a symlink
}

[ Permlink | « Hide ]
Jay Shaughnessy - 18/Jun/08 10:42 AM
test steps:

There are lots of circularity scenarios you could create, this is just one, but one should suffice.

 Install a JBoss release on a *NIX system

0) cd $HOME
1) mkdir myscripts
2) cd myscripts
2) test2.sh
) ln --symbolic jbossinstalldir/bin bad-link
3) cd bad-link
4) mkdir scripts
5) cd scripts
6) create scripts/test1.sh
7) ln --symbolic $HOME/myscripts myscripts
8) ls -lLR

This should have a circularity defined.

) start jboss
) start an agent on this machine, ensuring the server has a jbossas plugin with the fix.
) discover and import the jboss server
) ensure the bin scripts, test1.sh and test2.sh are all inventoried scripts.



[ Permlink | « Hide ]
Wilfred Itte - 18/Jun/08 01:44 PM
verified : bin scripts, test1.sh and test2.sh are all inventoried scripts

[ Permlink | « Hide ]
Heiko W. Rupp - 18/Jun/08 01:48 PM
This looks ok on Mac OS X.

[ Permlink | « Hide ]
Wilfred Itte - 18/Jun/08 02:02 PM
verified on Rhel5


Powered by a free Atlassian JIRA open source license for Hyperic HQ. Try JIRA - bug tracking software for your team.
Atlassian JIRA the Professional Issue Tracker. (Enterprise Edition, Version: 3.12-#298) - Bug/feature request - Contact Administrators