You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@lucene.apache.org by rm...@apache.org on 2019/12/21 15:40:33 UTC
[lucene-solr] branch jira/SOLR-13984 updated: SOLR-13984: use a
custom security properties file so nobody freaks out about
sun.net.inetaddr.ttl
This is an automated email from the ASF dual-hosted git repository.
rmuir pushed a commit to branch jira/SOLR-13984
in repository https://gitbox.apache.org/repos/asf/lucene-solr.git
The following commit(s) were added to refs/heads/jira/SOLR-13984 by this push:
new 4204000 SOLR-13984: use a custom security properties file so nobody freaks out about sun.net.inetaddr.ttl
4204000 is described below
commit 420400063479a27bb24878abd2f86d9a50415535
Author: Robert Muir <rm...@apache.org>
AuthorDate: Sat Dec 21 10:40:12 2019 -0500
SOLR-13984: use a custom security properties file so nobody freaks out about sun.net.inetaddr.ttl
---
solr/bin/solr | 3 +--
solr/bin/solr.cmd | 3 +--
solr/server/etc/security.properties | 24 ++++++++++++++++++++++++
3 files changed, 26 insertions(+), 4 deletions(-)
diff --git a/solr/bin/solr b/solr/bin/solr
index 3d8bce2..e24ca45 100755
--- a/solr/bin/solr
+++ b/solr/bin/solr
@@ -2072,11 +2072,10 @@ else
fi
# Enable java security manager (limiting filesystem access and other things)
-# Don't cache DNS lookups forever, set the value back to the original JDK default.
if [ "$SOLR_SECURITY_MANAGER_ENABLED" == "true" ]; then
SECURITY_MANAGER_OPTS=('-Djava.security.manager' \
"-Djava.security.policy=${SOLR_SERVER_DIR}/etc/security.policy" \
- '-Dsun.net.inetaddr.ttl=30' \
+ "-Djava.security.properties=${SOLR_SERVER_DIR}/etc/security.properties" \
'-Dsolr.internal.network.permission=*')
else
SECURITY_MANAGER_OPTS=()
diff --git a/solr/bin/solr.cmd b/solr/bin/solr.cmd
index b2a8353..3129e32 100755
--- a/solr/bin/solr.cmd
+++ b/solr/bin/solr.cmd
@@ -1167,11 +1167,10 @@ IF "%ENABLE_REMOTE_JMX_OPTS%"=="true" (
)
REM Enable java security manager (limiting filesystem access and other things)
-REM Don't cache DNS lookups forever, set the value back to the original JDK default.
IF "%SOLR_SECURITY_MANAGER_ENABLED%"=="true" (
set SECURITY_MANAGER_OPTS=-Djava.security.manager ^
-Djava.security.policy="%SOLR_SERVER_DIR%\etc\security.policy" ^
--Dsun.net.inetaddr.ttl=30 ^
+-Djava.security.properties="%SOLR_SERVER_DIR%\etc\security.properties" ^
-Dsolr.internal.network.permission=*
)
diff --git a/solr/server/etc/security.properties b/solr/server/etc/security.properties
new file mode 100644
index 0000000..7f196a8
--- /dev/null
+++ b/solr/server/etc/security.properties
@@ -0,0 +1,24 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# command-line security properties file
+#
+# By default, when enabling security manager, DNS lookups are cached indefinitely,
+# as protection against DNS spoofing. We set this back to the default (non-security-manager)
+# value of 30 seconds, to prevent surprising behavior (e.g. nodes in cloud environments without
+# static IP addresses). Users concerned about DNS spoofing should instead follow best practices:
+# populating solr.shardsWhitelist, enabling TLS, etc.
+networkaddress.cache.ttl=30