lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Shawn Heisey (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (SOLR-8101) Installation script permission issues and other scripts fixes
Date Tue, 29 Sep 2015 13:24:04 GMT

    [ https://issues.apache.org/jira/browse/SOLR-8101?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14935151#comment-14935151
] 

Shawn Heisey commented on SOLR-8101:
------------------------------------

I think it needs to look for the include script in the solr home first, for compatibility
with existing installations.

If we want to avoid that because of the potential security implications, then we must have
explicit upgrade instructions that discuss moving the include script and changing its permissions.
 I would like to see an upgrade script that does all the heavy lifting for an upgrade, including
looking for the include script in the solr home, moving it to /etc, renaming it, and setting
the permissions.

> Installation script permission issues and other scripts fixes
> -------------------------------------------------------------
>
>                 Key: SOLR-8101
>                 URL: https://issues.apache.org/jira/browse/SOLR-8101
>             Project: Solr
>          Issue Type: Improvement
>          Components: scripts and tools
>    Affects Versions: 5.3.1
>            Reporter: Sergey Urushkin
>              Labels: patch, security
>         Attachments: solr-5.3.1.patch
>
>
> Until [https://issues.apache.org/jira/browse/SOLR-7871] is fixed, I suggest to improve
current shell scripts. Provided patch:
>   *  changes {{$SOLR_ENV}} default to {{/etc/default/$SOLR_SERVICE.in.sh}} . This is
*security* issue. If {{solr.in.sh}} is placed in directory which is writable by {{$SOLR_USER}},
solr process is able to write to it, and than it will be run by root on start/shutdown.
>   * changes permissions. {{$SOLR_USER}} should only be able to write to {{$SOLR_VAR_DIR}}
{{$SOLR_INSTALL_DIR/server/solr-webapp}} {{$SOLR_INSTALL_DIR/server/logs}} . {{solr-webapp}}
directory might be inspected more. These directories should not be readable by other users
as they may contain personal information.
>   * sets {{$SOLR_USER}} home directory to {{$SOLR_VAR_DIR}} . As I can see there is no
need in {{/home/solr}} directory.
>   * adds quotes to unquoted variables
>   * adds leading zero to chmod commands
>   * removes group from chown commands (uses ":")
> Tested on ubuntu 14.04 amd64, but changes are pretty system-independent.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org


Mime
View raw message