Promote document by using privilege escalation issue

Hi everybody!

My customer has decided that all users should be able to promote documents even though they only have Version rights.

We have created our own BOF object (let's call it MyDocument) and my first thought was to override doPromote and use privilege escalation (as described in https://community.emc.com/message/731730#731730) in an EscalatedPromote-method running on the method server with admin rights for users with Version rights. This identified a potential issue when the privileged call to IdfSysObject.doPromote actually was handled by MyDocument.doPromote. I just guessed I could cast my document and make it do sysobjects promote, but that didn't work out. Instead I got a loop where MyDocument.doPromote called my Escalated code which again called MyDocument.doPromote. After some minutes I had opened 400 sessions and I didn't know how to stop it.

Of course, the loop was my bad (I forgot to put the unprivileged user in the privilegeRole-group), but still it's a risky thing to do.

This is the essence of my MyDocument.doPromote():


@Override
protected void doPromote(String state, boolean override, boolean testOnly, Object[] extArguments) throws DfException {
  String privilegeRole = "dynamic_promote_role";
  if (getPermit() >= IDfACL.DF_PERMIT_WRITE) {
       super.doPromote(state, override, testOnly, extArguments);
  } else if (getPermit() == IDfACL.DF_PERMIT_VERSION) {
       int res = promoteDocByEscalatedPrivileges(state, override, testOnly, privilegeRole);
  }
}

The method promoteDocByEscalatedPrivileges() invokes EscalatedPromote.execute() on the method server with the needed arguments. EscalatedPromote.execute() adds the executing user to the privilegeRole-group and calls promoteDoc.

And this is my escalated code:


private void promoteDoc(final string documentId, 
  final String promoteState, 
  final boolean promoteOverride, 
  final boolean promoteTestOnly, 
  final Object[] promoteExtArgs,
  final String inRoleName)
  throws DfException{
       final IDfSession session = getSessionWithUnprivilegedUser();
       try{
            AccessController.doPrivileged(new DfPrivilegedExceptionActionInRole<String>(new DfRoleSpec(inRoleName), true,
            new PrivilegedExceptionAction<String>() {
                 public String run() throws DfException {    
                     IDfSysObject document = (IDfSysObject) session.getObject(new DfId(documentId));     
                     document.promote(promoteState, promoteOverride, promoteTestOnly);     
                      return "";     
                 }
            }));
       }
       catch(PrivilegedActionException e){
            Exception ex = e.getException();
            if(ex instanceof DfException)
                 throw (DfException)ex;
            else
                 throw new DfException(ex);
       }
       catch(RuntimeException re){
            throw re;
       }
}

The user now get's Write-rights in the escalated code and it runs super.doPromote() in line 5 in MyDocument.doPromote() as it should. The next thing that happened is this: HTTP request from 127.0.0.1, invoking LifecycleTransitionOperation.execute(), ARGUMENTS [(...)]

and then:


DfException:: THREAD: http-0.0.0.0-9080-3; MSG: [DM_SYSOBJECT_E_NO_WRITE_ACCESS]error:  "No write access for sysobject named 'Lighthouse'."; ERRORCODE: 100; NEXT: null
at com.documentum.fc.client.impl.docbase.DocbaseExceptionMapper.newException(DocbaseExceptionMapper.java:57)
at com.documentum.fc.client.impl.connection.docbase.MessageEntry.getException(MessageEntry.java:39)
at com.documentum.fc.client.impl.connection.docbase.DocbaseMessageManager.getException(DocbaseMessageManager.java:137)
at com.documentum.fc.client.impl.connection.docbase.netwise.NetwiseDocbaseRpcClient.checkForMessages(NetwiseDocbaseRpcClient.java:310)
at com.documentum.fc.client.impl.connection.docbase.netwise.NetwiseDocbaseRpcClient.applyForInt(NetwiseDocbaseRpcClient.java:581)
at com.documentum.fc.client.impl.connection.docbase.DocbaseConnection$6.evaluate(DocbaseConnection.java:1254)
at com.documentum.fc.client.impl.connection.docbase.DocbaseConnection.evaluateRpc(DocbaseConnection.java:1056)
at com.documentum.fc.client.impl.connection.docbase.DocbaseConnection.applyForInt(DocbaseConnection.java:1247)
at com.documentum.fc.client.impl.docbase.DocbaseApi.parameterizedSave(DocbaseApi.java:768)
at com.documentum.fc.client.DfSysObject$1.evaluate(DfSysObject.java:373)
at com.documentum.fc.client.DfSysObject.doSaveImpl(DfSysObject.java:403)
at com.documentum.fc.client.DfSysObject.doSave(DfSysObject.java:206)
at com.documentum.fc.client.DfPersistentObject.saveEx(DfPersistentObject.java:912)
at com.documentum.fc.client.DfPersistentObject.save(DfPersistentObject.java:907)
at com.documentum.server.impl.method.lifecycle.BPCommon.commitStateChange(BPCommon.java:313)

I don't know why this is happening, but it might have something to do with my unsuccessful adding of permissions to dfc.jar? I tried to add this to java.policy:


//Enable privilege escalation 
grant codeBase "file:/E:/Documentum/jboss5.1.0/server/DctmServer_MethodServer/lib/*" {
  permission com.documentum.fc.client.impl.bof.security.RolePermission "*", "propagate";
};

This gives me the following warning in PolicyTool: Warning: Class not found: com.documentum.fc.client.impl.bof.security.RolePermission

Still, I could not find BPCommon in dfc.jar, so maybe this wasn't my last obstacle after all.

As I don't really feel comfortable with this solution because of the potential loop, I am not sure if I should continue this path or choose another path. I could run promote as a system user as long as I can set the unprivileged user as the modifier (r_modifier) afterwards. Or I could add the unprivileged user to a group with write + change state permission, let the user do the promote and then retract the user from the group afterwards. But this has also a potential security issue.

I was hoping anyone in here has some experience with this issue or any thoughts about what I should do. Any tips or hints are deeply appreciated!

Find more posts tagged with

Note:

If there are Accepted Answers, those will be shown by default. You can switch to 'All Replies' by selecting the tab below.

Accepted answers

PanfilovAB


I was thinking about that approach, but then the superuser is set as r_modifier and the customer needs the user initiating the promote to be set as r_modifier. I was thinking that it's better to do the action as the user with escalated privileges.

Actually, with a_bpaction_run_as=superuser you will get the same behavior as executing custom method. If you are still prefer to use dynamic group solution, the complete code is:

1. interface for anonymous classes:


public interface ISessionInvoker<T> {
    T invoke(IDfSession session) throws DfException;
}

2. Utility class - can run ISessionInvoker using two different approaches:


public final class DynamicGroupHelper {

    private DynamicGroupHelper() {
        super();
    }

    public static <T> T invokeAsPrivilegedRPC(IDfSession session,
            String groupName, ISessionInvoker<T> invoker) throws DfException {
        try {
            return AccessController
                    .doPrivileged(new DfPrivilegedActionInRole<T>(
                            new DfRoleSpec(groupName),
                            new PrivilegedSessionInvoker<T>(session, invoker)));
        } catch (DfExceptionRuntimeWrapper ex) {
            throw (DfException) ex.getCause();
        }
    }

    public static <T> T invokeAsPrivilegedGroup(IDfSession session,
            String groupName, ISessionInvoker<T> invoker) throws DfException {
        boolean added = false;
        try {
            added = addToDynamicGroup(session, groupName);
            return invoker.invoke(session);
        } finally {
            if (added) {
                session.removeDynamicGroup(groupName);
            }
        }
    }

    private static boolean addToDynamicGroup(IDfSession session,
            String groupName) throws DfException {
        if (StringUtils.isBlank(groupName)) {
            throw new IllegalArgumentException("Group Name is empty");
        }
        synchronized (session.getSessionId().intern()) {
            if (isDynamicGroupAdded(session, groupName)) {
                return false;
            }
            session.addDynamicGroup(groupName);
            return true;
        }
    }

    private static boolean isDynamicGroupAdded(IDfSession session,
            String groupName) throws DfException {
        if (StringUtils.isBlank(groupName)) {
            throw new IllegalArgumentException("Group Name is empty");
        }
        for (int i = 0, n = session.getDynamicGroupCount(); i < n; i++) {
            if (session.getDynamicGroup(i).equals(groupName)) {
                return true;
            }
        }
        return false;
    }
}

3. Exception wrapper:


public final class DfExceptionRuntimeWrapper extends RuntimeException {

    private static final long serialVersionUID = 1L;

    public DfExceptionRuntimeWrapper(DfException exception) {
        super(exception);
    }

    public DfExceptionRuntimeWrapper(Exception exception) {
        super(exception);
    }

}

4. implementation:


@Override
protected synchronized void doSave(final boolean keepLock,
        final String versionLabels, final Object[] extendedArgs)
    throws DfException {
    if (!isInsideLifeCycleOperation()) {
        doSaveSuper(keepLock, versionLabels, extendedArgs);
    } else {
        String privilegeRole = "dynamic_promote_role";
        DynamicGroupHelper.invokeAsPrivilegedRPC(getObjectSession(),
                privilegeRole, new ISessionInvoker<Void>() {
                    @Override
                    public Void invoke(IDfSession session)
                        throws DfException {
                        doSaveSuper(keepLock, versionLabels, extendedArgs);
                        return null;
                    }
                });
    }
}

protected void doSaveSuper(final boolean keepLock,
        final String versionLabels, final Object[] extendedArgs)
    throws DfException {
    super.doSave(keepLock, versionLabels, extendedArgs);
}

@Override
protected void doPromote(final String state, final boolean override,
        final boolean testOnly, final Object[] extArguments)
    throws DfException {
    String privilegeRole = "dynamic_promote_role";
    if (getPermit() >= IDfACL.DF_PERMIT_WRITE) {
        doPromoteSuper(state, override, testOnly, extArguments);
    } else if (getPermit() == IDfACL.DF_PERMIT_VERSION) {
        DynamicGroupHelper.invokeAsPrivilegedRPC(getObjectSession(),
                privilegeRole, new ISessionInvoker<Void>() {
                    @Override
                    public Void invoke(IDfSession session)
                        throws DfException {
                        doPromote(state, override, testOnly, extArguments);
                        return null;
                    }
                });
    }
}

private void doPromoteSuper(final String state, final boolean override,
        final boolean testOnly, final Object[] extArguments)
    throws DfException {
    super.doPromote(state, override, testOnly, extArguments);
}

protected final boolean isInsideLifeCycleOperation() {
    StackTraceElement[] ste = new Exception().getStackTrace();
    Set<String> knownClasses = new HashSet<String>();
    knownClasses
            .add("com.documentum.server.impl.method.lifecycle.BPCommon");
    knownClasses
            .add("com.documentum.server.impl.method.lifecycle.BPTransition");
    for (StackTraceElement e : ste) {
        for (String className : knownClasses) {
            if (e.getClassName().startsWith(className)) {
                return true;
            }
        }
    }
    return false;
}

You can use either DynamicGroupHelper.invokeAsPrivilegedRPC() or DynamicGroupHelper.invokeAsPrivilegedGroup() method, the last one does not require to setup java policy, but potentially is not thread-safe.

All comments

PanfilovAB

Lifecycle actions do not work like you expect, let's explain.

When user tries to execute lifecycle operation, it implicitly sends SysObjPromote/SysObjAttach RPC command to CS. To be able send such command user should have some privileges. It's a good point to override TBO methods using DfPrivilegedExceptionActionInRole to give access for unprivileged users. The corresponding code should look like:


@Override
protected void doPromote(final String state, final boolean override,
        final boolean testOnly, final Object[] extArguments)
    throws DfException {
    String privilegeRole = "dynamic_promote_role";
    if (getPermit() >= IDfACL.DF_PERMIT_WRITE) {
        super.doPromote(state, override, testOnly, extArguments);
    } else if (getPermit() == IDfACL.DF_PERMIT_VERSION) {
        try {
            AccessController
                    .doPrivileged(new DfPrivilegedExceptionActionInRole<Void>(
                            new DfRoleSpec(privilegeRole), true,
                            new PrivilegedExceptionAction<Void>() {
                                public Void run() throws DfException {
                                    TBOCLASSNAMEHERE.super.doPromote(state,
                                            override, testOnly,
                                            extArguments);
                                    return null;
                                }
                            }));
        } catch (PrivilegedActionException e) {
            Exception ex = e.getException();
            if (ex instanceof DfException)
                throw (DfException) ex;
            else
                throw new DfException(ex);
        } catch (RuntimeException re) {
            throw re;
        }
    }
}

or like:


@Override
protected void doPromote(final String state, final boolean override,
        final boolean testOnly, final Object[] extArguments)
    throws DfException {
    String privilegeRole = "dynamic_promote_role";
    if (getPermit() >= IDfACL.DF_PERMIT_WRITE) {
        doPromoteSuper(state, override, testOnly, extArguments);
    } else if (getPermit() == IDfACL.DF_PERMIT_VERSION) {
        try {
            AccessController
                    .doPrivileged(new DfPrivilegedExceptionActionInRole<Void>(
                            new DfRoleSpec(privilegeRole), true,
                            new PrivilegedExceptionAction<Void>() {
                                public Void run() throws DfException {
                                    doPromoteSuper(state, override, testOnly, extArguments);
                                    return null;
                                }
                            }));
        } catch (PrivilegedActionException e) {
            Exception ex = e.getException();
            if (ex instanceof DfException)
                throw (DfException) ex;
            else
                throw new DfException(ex);
        } catch (RuntimeException re) {
            throw re;
        }
    }
}

private void doPromoteSuper(final String state, final boolean override,
        final boolean testOnly, final Object[] extArguments)
    throws DfException {
    super.doPromote(state, override, testOnly, extArguments);
}

When CS receives SysObjPromote/SysObjAttach RPC command it send request to JMS to execute dm_bp_transion_java (or dm_bp_transion if you are using dmbasic lifecycle) method. And only that method applies lifecycle changes not doPromote(), so you should have enough privileges inside dm_bp_transion_java method to be able to apply lifecycle changes. I would like recommend to set a_bpaction_run_as property in the docbase config object to "superuser" value - after that all dm_bp_transion_java methods will be executed under installation owner account.