lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jason Gerlowski (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (SOLR-10648) Do not expose STOP.PORT and STOP.KEY in sysProps
Date Fri, 09 Nov 2018 16:46:00 GMT

    [ https://issues.apache.org/jira/browse/SOLR-10648?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16681687#comment-16681687
] 

Jason Gerlowski commented on SOLR-10648:
----------------------------------------

If any users are unswayed by Jan's rationale above (+1, btw) and would like to hide sysprops
from the Admin UI, then there _is_ a workaround for this.  Users can edit {{solr.in.sh}} and
define the {{-Dsolr.redaction.system.pattern}} sysprop under SOLR_OPTS:

{code}
SOLR_OPTS="$SOLR_OPTS -Dsolr.redaction.system.pattern=(.*password.*|.*PORT|.*KEY)"
{code}

(Credit to Jan, who mentioned this on the mailing list)

> Do not expose STOP.PORT and STOP.KEY in sysProps
> ------------------------------------------------
>
>                 Key: SOLR-10648
>                 URL: https://issues.apache.org/jira/browse/SOLR-10648
>             Project: Solr
>          Issue Type: Improvement
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: scripts and tools
>            Reporter: Jan H√łydahl
>            Priority: Major
>              Labels: security
>
> Currently anyone with HTTP access to Solr can see the Admin UI and all the system properties.
In there you find
> {noformat}
> -DSTOP.KEY=solrrocks
> -DSTOP.PORT=7983
> {noformat}
> This means that anyone with this info can shut down Solr by hitting that port with the
key (if it is not firewalled).
> I think the simple solution is to add STOP.PORT and STOP.KEY from {{$SOLR_START_OPTS}}
to the {{$SOLR_JETTY_CONFIG[@]}} variable. It will still be visible on the cmdline but not
over HTTP.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org


Mime
View raw message