You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@lucene.apache.org by "Roman Kosenko (Jira)" <ji...@apache.org> on 2020/06/28 21:07:00 UTC
[jira] [Updated] (SOLR-14585) Check the current user in SysV init
script
[ https://issues.apache.org/jira/browse/SOLR-14585?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Roman Kosenko updated SOLR-14585:
---------------------------------
Description:
While SOLR-14410 is still open I propose a quick fix/improvement for init.d script - check the current user and, if it is the same as RUNAS user, then don't execute "su".
Background:
Systemd has backward compatibility with SysV and able to run scripts from /etc/init.d, but SELinux policies in many distros encourage changing user before this stage and prohibits executing of "su" binary, so it would be logical to do this at systemd level (/etc/systemd/system/solr.service.d/override.conf). In this case, the current init.d script for Solr is missing one very trivial check - `"$RUNAS" != "$USER"`. See the diff-file in the attachment.
Pull request: https://github.com/apache/lucene-solr/pull/1627
was:
While SOLR-14410 is still open I propose a quick fix/improvement for init.d script - check the current user and, if it is the same as RUNAS user, then don't execute "su".
Background:
Systemd has backward compatibility with SysV and able to run scripts from /etc/init.d, but SELinux policies in many distros encourage changing user before this stage and prohibits executing of "su" binary, so it would be logical to do this at systemd level (/etc/systemd/system/solr.service.d/override.conf). In this case, the current init.d script for Solr is missing one very trivial check - `"$RUNAS" != "$USER"`. See the diff-file in the attachment.
> Check the current user in SysV init script
> ------------------------------------------
>
> Key: SOLR-14585
> URL: https://issues.apache.org/jira/browse/SOLR-14585
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Components: scripts and tools
> Affects Versions: 8.5.2
> Reporter: Roman Kosenko
> Priority: Minor
> Labels: sysinit, systemd
> Attachments: init.d-solr.diff
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> While SOLR-14410 is still open I propose a quick fix/improvement for init.d script - check the current user and, if it is the same as RUNAS user, then don't execute "su".
>
> Background:
> Systemd has backward compatibility with SysV and able to run scripts from /etc/init.d, but SELinux policies in many distros encourage changing user before this stage and prohibits executing of "su" binary, so it would be logical to do this at systemd level (/etc/systemd/system/solr.service.d/override.conf). In this case, the current init.d script for Solr is missing one very trivial check - `"$RUNAS" != "$USER"`. See the diff-file in the attachment.
>
> Pull request: https://github.com/apache/lucene-solr/pull/1627
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org