Sandbox configuration file

For security reasons, any server where an 'adxd' daemon or service runs, and a 'sadfsq' software is installed to allow access to files in the file system through the Sage X3 People engine, must have a security sandbox definition file.

Security rules have been reinforced in version 7.2: a clear distinction is done between Clouds based environments and on premise environments.

This file is called configRuntime.json:
* It is installed in the cfg subfolder of the Sage X3 People runtime folder.
* Should be write protected, but readable by the Sage X3 People runtime engine.
* It includes a set of parameters in JSON format, and especially the list of folders where the Sage X3 People engine is allowed to access (sandbox definition).

Cloud security: trusted and untrusted mode

When an installation is done on the Clouds, the code executed by the engine can run in trusted or untrusted mode:

Some limitations apply on trusted code execution:
* the sandbox limitation apply for files accessed from the server.
* restrictions exists on the order executed by the System command as explained below.

On untrusted code execution, the limitations are more severe:
* only the sandbox location with secured flag set to true can be accessed.
* no execution of a System command is possible.

Configuration file description

The format of the file is the following:

{ "sandbox": {"directories": [{"path": "...","extensions": ["...", "..." ]"pattern": ["...", "..." ]"writable": true,"secured": true,"volume": "A"}…],"spawn": [{"path": "…","pattern": "…""params": […],"modes": […]}…],"allowConsole" : false}

In the sandbox section, the directories section is a collection of entries that define the sandbox as a white list of locations that can be accessed. If there is no match, the access is denied. The following rules apply:

In the sandbox section, the spawn section is a collection of entries that define the system commands usable in trusted mode as a white list. If there is no match with the command to be executed, the execution is denied. The following rules apply:

The allowConsole parameter must be set to true to allow the console to operate. The console operation implies access to all the folders of the server and not only to the white list. Note that this might be a security flaw if the flag remains set to true. This must be only the case during the small period of the installation and the configuration, or when an evolution of the configuration has to be piloted by the console.

In normal exploitation conditions, allowConsole must be set to false.

As there is no exception on folders that can be accessed, the following folders must be present in the white list table; otherwise, the engine will not work properly. The paths of these folders start with xxxx/runtime, that is supposed to be the path where the runtime is installed:

This folder stores the configuration file and should be available for the other runtimes that access the server from the network.
{ "path": "xxxx/runtime/cfg","extensions": [ "json" ]}
This folder stores a semaphore file that needs to be accessed by the process monitoring function (psadx).
{ "path": "xxx/V7.1/runtime/sem","writable": true,"extensions": [ "map", "dat" ]}
This folder stores log files of the engine and must therefore be accessible in write mode.
{ "path": "xxxx/runtime/tmp","extensions": [ "*" ]}

How the control works

Every time an engine function uses file access in read or write mode (with functions such as Delfile, Renamefile, Openi, Openo, and [Openio]]) on a given Sage X3 People server, the check is done against the configuration file installed on the right server. If the configuration file denies access to the corresponding file, the error code 27 (no access) appears.

It is possible to check the fact that a file is readable and/or writeable by the checkpath function.

Every time a System command is executed in a Clouds secured environment, the rules defined in the spawn section are tested if the execution mode is trusted, and if the result is unsuccessful, the error code 27 (no access) is returned. In untrusted mode, the error is raised anyways.

Special characters usable in regular expressions

CharactersDefinitionExample
\Escape character (must be doubled in path definitions)C:\\Sage\\bin
[character_list]One of the characters in the list[ABC] defines one of the characters A, B, C
[f-l]One character in the range defined by the first (f) and last (l) character.[A-Z0-9] defines a character that can be either an upper case letter or a digit.
(p1|p2|p2)One of the pattern given in the list (here p1, p2 or p3)(SUB|CNS|X|Y|Z)[A-Z]* defines a name made with uppercase characters starting either with SUB, CNS, X, Y or Z.
*repeats N time (N can be 0) the previous pattern[A-Z][A-Z0-9]* defines a name starting with an upper case letter following by a variable number of characters that can be upper case letters and/or digits.
.Any character.* defines N characters (N can be 0).
^Optional marker for the beginning of the pattern^.*A defines a name that ends with a A.
$Optional marker for the end of the pattern.*A$ defines a name that ends with a A.

Example of a sandbox file

{"sandbox": {"directories": [{"path": "c:\\program files\\Sage X3 People\\runtime\\log","writable": true,"extensions": ["log","tra"]}, {"path": "c:\\X3Folders","extensions": ["*"]}, {"others" : "C:\\X3Folders\\Tmp","writable": true,"extensions": ["*"]}, {"path": "c:\\Othervolumes","volume": "A","extensions": ["*"]}]},"spawn": [{"path": "C:\\Sage\\bin","pattern": "^copy.*\.exe""params": [1,2],"modes": [ "r", "w" ]}],"allowConsole" : false}

See also

Openi, Openo, Openio, Delfile, Renamefile, System, checkpath.