You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@james.apache.org by ka...@apache.org on 2023/03/12 11:50:55 UTC
[james-project] 07/07: JAMES-3881 WARN if no JMX authentication is setup
This is an automated email from the ASF dual-hosted git repository.
kao pushed a commit to branch 3.7.x
in repository https://gitbox.apache.org/repos/asf/james-project.git
commit d3d738838634e1ccb6699e1af64f7e8c63b0bb84
Author: Benoit Tellier <bt...@linagora.com>
AuthorDate: Fri Feb 17 10:21:12 2023 +0700
JAMES-3881 WARN if no JMX authentication is setup
(cherry picked from commit 3718ee5a79e1986156c8c1e13ba201a02bb8f232)
---
.../java/org/apache/james/app/spring/JamesAppSpringMain.java | 9 +++++++--
.../src/main/java/org/apache/james/modules/server/JMXServer.java | 4 ++++
2 files changed, 11 insertions(+), 2 deletions(-)
diff --git a/server/apps/spring-app/src/main/java/org/apache/james/app/spring/JamesAppSpringMain.java b/server/apps/spring-app/src/main/java/org/apache/james/app/spring/JamesAppSpringMain.java
index 7366395b6c..e88001f8ac 100644
--- a/server/apps/spring-app/src/main/java/org/apache/james/app/spring/JamesAppSpringMain.java
+++ b/server/apps/spring-app/src/main/java/org/apache/james/app/spring/JamesAppSpringMain.java
@@ -40,12 +40,17 @@ public class JamesAppSpringMain implements Daemon {
private static final ObjectName ALL_OBJECT_NAME = null;
private static final QueryExp ALL_QUERY_EXP = null;
- private static final Logger log = LoggerFactory.getLogger(JamesAppSpringMain.class.getName());
+ private static final Logger LOGGER = LoggerFactory.getLogger(JamesAppSpringMain.class.getName());
private JamesServerApplicationContext context;
public static void main(String[] args) throws Exception {
unregisterLog4JMBeans();
+ if (System.getProperty("com.sun.management.jmxremote.password.file") == null) {
+ LOGGER.warn("No authentication setted up for the JMX component. This expose you to local privilege escalation attacks risk. " +
+ "This can be done via the 'com.sun.management.jmxremote.password.file' system property.");
+ }
+
long start = Calendar.getInstance().getTimeInMillis();
JamesAppSpringMain main = new JamesAppSpringMain();
@@ -53,7 +58,7 @@ public class JamesAppSpringMain implements Daemon {
long end = Calendar.getInstance().getTimeInMillis();
- log.info("Apache James Server is successfully started in {} milliseconds.", end - start);
+ LOGGER.info("Apache James Server is successfully started in {} milliseconds.", end - start);
}
diff --git a/server/container/guice/jmx/src/main/java/org/apache/james/modules/server/JMXServer.java b/server/container/guice/jmx/src/main/java/org/apache/james/modules/server/JMXServer.java
index 6aa801314a..901926dad2 100644
--- a/server/container/guice/jmx/src/main/java/org/apache/james/modules/server/JMXServer.java
+++ b/server/container/guice/jmx/src/main/java/org/apache/james/modules/server/JMXServer.java
@@ -121,6 +121,10 @@ public class JMXServer implements Startable {
restrictingRMISocketFactory = new RestrictingRMISocketFactory(jmxConfiguration.getHost().getHostName());
LocateRegistry.createRegistry(jmxConfiguration.getHost().getPort(), restrictingRMISocketFactory, restrictingRMISocketFactory);
generateJMXPasswordFileIfNeed();
+
+ if (!existJmxPasswordFile()) {
+ LOGGER.warn("No authentication setted up for the JMX component. This expose you to local privilege escalation attacks risk.");
+ }
Map<String, String> environment = Optional.of(existJmxPasswordFile())
.filter(FunctionalUtils.identityPredicate())
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org
For additional commands, e-mail: notifications-help@james.apache.org