lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jason Gerlowski (JIRA)" <>
Subject [jira] [Commented] (SOLR-10648) Do not expose STOP.PORT and STOP.KEY in sysProps
Date Fri, 09 Nov 2018 16:46:00 GMT


Jason Gerlowski commented on SOLR-10648:

If any users are unswayed by Jan's rationale above (+1, btw) and would like to hide sysprops
from the Admin UI, then there _is_ a workaround for this.  Users can edit {{}} and
define the {{-Dsolr.redaction.system.pattern}} sysprop under SOLR_OPTS:

SOLR_OPTS="$SOLR_OPTS -Dsolr.redaction.system.pattern=(.*password.*|.*PORT|.*KEY)"

(Credit to Jan, who mentioned this on the mailing list)

> Do not expose STOP.PORT and STOP.KEY in sysProps
> ------------------------------------------------
>                 Key: SOLR-10648
>                 URL:
>             Project: Solr
>          Issue Type: Improvement
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: scripts and tools
>            Reporter: Jan H√łydahl
>            Priority: Major
>              Labels: security
> Currently anyone with HTTP access to Solr can see the Admin UI and all the system properties.
In there you find
> {noformat}
> -DSTOP.KEY=solrrocks
> -DSTOP.PORT=7983
> {noformat}
> This means that anyone with this info can shut down Solr by hitting that port with the
key (if it is not firewalled).
> I think the simple solution is to add STOP.PORT and STOP.KEY from {{$SOLR_START_OPTS}}
to the {{$SOLR_JETTY_CONFIG[@]}} variable. It will still be visible on the cmdline but not
over HTTP.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message