Sandbox configuration file
For security reasons, any server where an 'adxd' daemon or service runs, and a 'sadfsq' software is installed to allow access to files in the file system through the Sage X3 People engine, must have a security sandbox definition file.
Security rules have been reinforced in version 7.2: a clear distinction is done between Clouds based environments and on premise environments.
This file is called configRuntime.json:
* It is installed in the cfg subfolder of the Sage X3 People runtime folder.
* Should be write protected, but readable by the Sage X3 People runtime engine.
* It includes a set of parameters in JSON format, and especially the list of folders where the Sage X3 People engine is allowed to access (sandbox definition).
When an installation is done on the Clouds, the code executed by the engine can run in trusted or untrusted mode:
trusted when called directly or when called from a trusted execution instance.untrusted.untrusted mode as well.Some limitations apply on trusted code execution:
* the sandbox limitation apply for files accessed from the server.
* restrictions exists on the order executed by the System command as explained below.
On untrusted code execution, the limitations are more severe:
* only the sandbox location with secured flag set to true can be accessed.
* no execution of a System command is possible.
The format of the file is the following:
{ "sandbox": {"directories": [{"path": "...","extensions": ["...", "..." ]"pattern": ["...", "..." ]"writable": true,"secured": true,"volume": "A"}…],"spawn": [{"path": "…","pattern": "…""params": […],"modes": […]}…],"allowConsole" : false}sandbox section, the directories section is a collection of entries that define the sandbox as a white list of locations that can be accessed. If there is no match, the access is denied. The following rules apply:adxvolume configuration file. For more information, see the filpath documentation.writable defines if files can be created or modified in the corresponding directory. Its value is false by default.secured defines if the directory can be accessed by in untrusted execution mode. Its value is false by default.In the sandbox section, the spawn section is a collection of entries that define the system commands usable in trusted mode as a white list. If there is no match with the command to be executed, the execution is denied. The following rules apply:
path is the directory where the command can be found. This path must of course be included in the sandbox white list.pattern defines the command pattern to be executed (as a regular expression). See the section above to know the syntaxes usable for regular expressions.params is an optional collection of numbers that give the list of parameters of the command that are files.modes is a collection of strings associated to the previous params collection, that defines if the corresponding files need read and/or write access (the strings in the collection will include "r" and/or "w" for this purpose).spawn rules before execution of the script.The allowConsole parameter must be set to true to allow the console to operate. The console operation implies access to all the folders of the server and not only to the white list. Note that this might be a security flaw if the flag remains set to true. This must be only the case during the small period of the installation and the configuration, or when an evolution of the configuration has to be piloted by the console.
In normal exploitation conditions, allowConsole must be set to false.
As there is no exception on folders that can be accessed, the following folders must be present in the white list table; otherwise, the engine will not work properly. The paths of these folders start with xxxx/runtime, that is supposed to be the path where the runtime is installed:
| This folder stores the configuration file and should be available for the other runtimes that access the server from the network. | { "path": "xxxx/runtime/cfg","extensions": [ "json" ]} |
| This folder stores a semaphore file that needs to be accessed by the process monitoring function (psadx). | { "path": "xxx/V7.1/runtime/sem","writable": true,"extensions": [ "map", "dat" ]} |
| This folder stores log files of the engine and must therefore be accessible in write mode. | { "path": "xxxx/runtime/tmp","extensions": [ "*" ]} |
Every time an engine function uses file access in read or write mode (with functions such as Delfile, Renamefile, Openi, Openo, and [Openio]]) on a given Sage X3 People server, the check is done against the configuration file installed on the right server. If the configuration file denies access to the corresponding file, the error code 27 (no access) appears.
It is possible to check the fact that a file is readable and/or writeable by the checkpath function.
Every time a System command is executed in a Clouds secured environment, the rules defined in the spawn section are tested if the execution mode is trusted, and if the result is unsuccessful, the error code 27 (no access) is returned. In untrusted mode, the error is raised anyways.
| Characters | Definition | Example |
|---|---|---|
| \ | Escape character (must be doubled in path definitions) | C:\\Sage\\bin |
| [character_list] | One of the characters in the list | [ABC] defines one of the characters A, B, C |
| [f-l] | One character in the range defined by the first (f) and last (l) character. | [A-Z0-9] defines a character that can be either an upper case letter or a digit. |
| (p1|p2|p2) | One of the pattern given in the list (here p1, p2 or p3) | (SUB|CNS|X|Y|Z)[A-Z]* defines a name made with uppercase characters starting either with SUB, CNS, X, Y or Z. |
| * | repeats N time (N can be 0) the previous pattern | [A-Z][A-Z0-9]* defines a name starting with an upper case letter following by a variable number of characters that can be upper case letters and/or digits. |
| . | Any character | .* defines N characters (N can be 0). |
| ^ | Optional marker for the beginning of the pattern | ^.*A defines a name that ends with a A. |
| $ | Optional marker for the end of the pattern | .*A$ defines a name that ends with a A. |
{"sandbox": {"directories": [{"path": "c:\\program files\\Sage X3 People\\runtime\\log","writable": true,"extensions": ["log","tra"]}, {"path": "c:\\X3Folders","extensions": ["*"]}, {"others" : "C:\\X3Folders\\Tmp","writable": true,"extensions": ["*"]}, {"path": "c:\\Othervolumes","volume": "A","extensions": ["*"]}]},"spawn": [{"path": "C:\\Sage\\bin","pattern": "^copy.*\.exe""params": [1,2],"modes": [ "r", "w" ]}],"allowConsole" : false}Openi, Openo, Openio, Delfile, Renamefile, System, checkpath.