Rewrite the scripting security docs #23930
Conversation
They needed to be updated now that Painless is the default and the non-sandboxed scripting languages are going away or gone. I dropped the entire section about customizing the classloader whitelists. In master this barely does anything (exposes more things to expressions) and in 5.x it isn't advisable anyway.
nik9000
added
:Core/Infra/Scripting
| and `javascript` is super dangerous. These languages have unfettered access to | ||
| Elasticsearch and can cause all kind of trouble. Worse, the only thing | ||
| preventing them from causing real trouble is the Java security manager and | ||
| SECCOMP/Seatbelt/ActiveProcessLimit. Assuming that those will prevent disaster |
| Internet write scripts. | ||
|
|
||
| Enabling dynamic scripting for non-sandboxed languages like `groovy`, `python`, | ||
| and `javascript` is super dangerous. These languages have unfettered access to |
There was a problem hiding this comment.
Unless you want to refer to the modules/plugins by name here, I think it's better to not stylize these in monospace, but instead refer to them by their names: Groovy, Python, and JavaScript.
| <2> Allow inline Groovy scripts for all operations | ||
| <3> Allow stored Groovy scripts to be used for search and aggregations. | ||
| <2> Allow inline Painless scripts for all operations | ||
| <3> Allow stored Painless scripts to be used for search and aggregations. |
There was a problem hiding this comment.
You're inconsistent as far as whether or not these end with periods.
There was a problem hiding this comment.
In general, good changes. I think the tone isn't quite right - it's conversational, which is suitable for a blog but not so much for documentation about security. You don't want opinions or conversations here, or anything vague that might be misunderstood, or presuming that users know what eg seccomp is. You want very clear, simple advice, with clear definitions etc.
| First and foremost, never run Elasticsearch as the `root` user, as this would | ||
| allow a script to access or do *anything* on your server, without limitations. | ||
| Elasticsearch checks if it is running as `root` on startup but it won't | ||
| refuse to start if it can't be sure so do your part to make sure it isn't |
There was a problem hiding this comment.
if it can't be sure? why wouldn't it be sure? I think simplify this (leaving out edge cases) to simply say: don't run as root.
| running as `root`. | ||
|
|
||
| You should not expose Elasticsearch directly to users, but instead have an | ||
| application in between your users and Elasticsearch. If you *must* allow users |
There was a problem hiding this comment.
"an application to sanitise user input before running requests on ES" - or something similar
| directly to your users, then you have to decide whether you trust them enough | ||
| to run scripts on your box or not, and apply the appropriate safety measures. | ||
|
|
||
| [[enable-dynamic-scripting]] |
There was a problem hiding this comment.
removing this anchor is probably going to break a lot of links in other docs - be aware that other books will need edits too
There was a problem hiding this comment.
Do you think I should keep the anchor somewhere with a comment that it is historical? Something about how it is no longer needed in most cases?
There was a problem hiding this comment.
No, I think it probably makes more sense to fix the places that link to it.
There was a problem hiding this comment.
I got the docs build to verify this and it looks like nothing else links there.
| https://en.wikipedia.org/wiki/Defense_in_depth_(computing)[layers], so you'll | ||
| want to take some steps as well. | ||
|
|
||
| First and foremost, never run Elasticsearch as the `root` user, as this would |
There was a problem hiding this comment.
Add
[float]
=== Don't run as root
| Elasticsearch checks if it is running as `root` on startup but it won't | ||
| refuse to start if it can't be sure so do your part to make sure it isn't | ||
| running as `root`. | ||
|
|
There was a problem hiding this comment.
Add
[float]
=== Don't expose Elasticsearch to the Internet
| determined malicious user to write searches that overwhelm the Elasticsearch | ||
| cluster and bring it down. | ||
|
|
||
| By default Elasticsearch enables dynamic scripting for sandboxed languages, |
There was a problem hiding this comment.
Add
[float]
=== Sandboxed scripting languages
| By default Elasticsearch enables dynamic scripting for sandboxed languages, | ||
| namely the scripting language `painless`, the template language `mustache`, and | ||
| the expression language `expressions`. These *ought* to be safe to expose to | ||
| trusted users and to your application servers. It is tempting fate to expose |
There was a problem hiding this comment.
Instead of "it is tempting fate", perhaps something like "Be aware that all software has bugs, and bugs can be exploited by determined malicious users"
| and `javascript` is super dangerous. These languages have unfettered access to | ||
| Elasticsearch and can cause all kind of trouble. Worse, the only thing | ||
| preventing them from causing real trouble is the Java security manager and | ||
| SECCOMP/Seatbelt/ActiveProcessLimit. Assuming that those will prevent disaster |
There was a problem hiding this comment.
I don't like this line starting "Assuming..." - it sounds like you're saying that the security manager etc is pretty much a waste of time.
I'd have a section explaining the other layers of security that we have such as JSM, seccomp, etc. Then say something like "Even with those in place, non-sandboxed languages provide the malicious user with too many opportunities to attack your cluster or to mount a denial of service attack"
| script.inline: false | ||
| script.stored: false | ||
| script.file: true | ||
| script.inline: false <1> |
There was a problem hiding this comment.
these are the defaults for non-sandboxed, not for all scripts
| [[java-security-manager]] | ||
| [float] | ||
| === Java Security Manager | ||
|
|
There was a problem hiding this comment.
While class whitelisting may not be useful for Painless, this section is probably still useful for plugin authors. Perhaps it should be moved to the plugin docs?
There was a problem hiding this comment.
There is a section in the plugin/authors.asciidoc about the security manager. I'll see about what can be merged.
There was a problem hiding this comment.
After another read it look like nothing can be merged. All the tips here are basically ways to expose more classes to groovy. The words in plugin/authors.asciidoc are more about making the security manager work for your plugin.
I wonder if it makes sense to only target this at 6.0? Or just cherry-pick some of it back to 5.x? The page is pretty out of date for 5.x but all this security manager stuff still kind of applies to groovy.
|
@clintongormley I believe this is ready for another round when you are ready for it. |
There was a problem hiding this comment.
Looks fantastic! (just one section that I think needs a little tweaking).
Regarding 5.x vs 6, I think it is worth backporting but in 5.x I'd leave the java security policy stuff, and in 6.0 I'd remove all mention of non-sandboxed languages as they won't exist anymore
| @@ -1,67 +1,108 @@ | |||
| [[modules-scripting-security]] | |||
| === Scripting and security | |||
|
|
|||
| You should never run Elasticsearch as the `root` user, as this would allow a | |||
| script to access or do *anything* on your server, without limitations. | |||
| While Elasticsearch contributors make every effort to prevent scrips from | |||
| is a poor choice because: | ||
| 1. This drops a layer of security, leaving only Elasticsearch's builtin | ||
| <<modules-scripting-other-layers, security layers>>. | ||
| 2. Un-sandboxed scripts have unchecked access to Elasticsearch's internals and |
There was a problem hiding this comment.
Un-sandboxed -> Non-sandboxed
| Which scripts Elasticsearch will execute where is controlled by settings | ||
| starting with `scripts.`. The simplest settings allow scripts to be enabled | ||
| or disabled based on where they are stored. The default values for | ||
| non-sandboxed languages are the following: |
There was a problem hiding this comment.
This section is a bit confusing I think because you're showing the global settings, but using them to explain the default settings for non-sandboxed languages. I'd perhaps explain the default for sandboxed vs non-sandboxed first, then say "you can use these global settings to enable/disable ALL scripting languages"
| https://en.wikipedia.org/wiki/Seccomp[seccomp] in Linux, | ||
| https://www.chromium.org/developers/design-documents/sandbox/osx-sandboxing-design[Seatbelt] in mac OS, | ||
| and ActiveProcessLimit on Windows to prevent forking and other undesirable | ||
| behaviors like writing to unexpected directories. |
There was a problem hiding this comment.
We do not use these mechanisms for preventing writes, only to prevent fork/exec. The Java security manager plays the role of guarding the filesystem.
There was a problem hiding this comment.
I thought we used it for more than fork/exec. I know seccomp would support all kind of things and I thought we'd turned on some of them. Will reread for my own sanity.
There was a problem hiding this comment.
Just reread. Only exec and fork as you say. Will fix.
|
|
||
| Elasticsearch uses | ||
| https://en.wikipedia.org/wiki/Seccomp[seccomp] in Linux, | ||
| https://www.chromium.org/developers/design-documents/sandbox/osx-sandboxing-design[Seatbelt] in mac OS, |
There was a problem hiding this comment.
I keep remembering this one incorrectly.
| Elasticsearch uses | ||
| https://en.wikipedia.org/wiki/Seccomp[seccomp] in Linux, | ||
| https://www.chromium.org/developers/design-documents/sandbox/osx-sandboxing-design[Seatbelt] in mac OS, | ||
| and ActiveProcessLimit on Windows to prevent forking and other undesirable |
There was a problem hiding this comment.
There was a problem hiding this comment.
I'd found a bunch of links but wasn't familiar enough with the windows API to know which one is canonical. Similarly, I used a link to the chromium docs for Seatbelt because it looked like it explained the mechanism better and actually used the word Seatbelt. I couldn't really follow the Apple links.
There was a problem hiding this comment.
The Apple docs indeed leave room for improvement.
I'd like to remove the non-sandboxed stuff in the master branch in a followup so I can backport this pretty cleanly to 5.x. |
|
@clintongormley and @jasontedor, I pushed some more changes. Please have a look when you get a chance. |
They needed to be updated now that Painless is the default and the non-sandboxed scripting languages are going away or gone.
|
Thanks @jasontedor and @clintongormley! I've merged to master and backported to 5.x with 66fec71. I believe it keeps all the for the groovy workarounds. |
Drops any mention of non-sandboxed scripting languages other than a brief "we don't support them and we shouldn't because A and B" statement. Relates to elastic#23930
Drops any mention of non-sandboxed scripting languages other than a brief "we don't support them and we shouldn't because A and B" statement. Relates to #23930
They needed to be updated now that Painless is the default and
the non-sandboxed scripting languages are going away or gone.
I dropped the entire section about customizing the classloader
whitelists. In master this barely does anything (exposes more
things to expressions) and in 5.x it isn't advisable anyway.