You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@lucene.apache.org by rm...@apache.org on 2019/12/14 20:13:09 UTC

[lucene-solr] branch jira/SOLR-13984 updated: SOLR-13984: windows support

This is an automated email from the ASF dual-hosted git repository.

rmuir pushed a commit to branch jira/SOLR-13984
in repository https://gitbox.apache.org/repos/asf/lucene-solr.git


The following commit(s) were added to refs/heads/jira/SOLR-13984 by this push:
     new edeb8c8  SOLR-13984: windows support
edeb8c8 is described below

commit edeb8c86b1148d5425abd3e52a9935e56e3b428f
Author: Robert Muir <rm...@apache.org>
AuthorDate: Sat Dec 14 12:10:12 2019 -0800

    SOLR-13984: windows support
---
 solr/bin/solr.cmd               | 14 ++++++++++++--
 solr/bin/solr.in.cmd            |  5 +++++
 solr/server/etc/security.policy |  2 ++
 3 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/solr/bin/solr.cmd b/solr/bin/solr.cmd
index b48c537..5206d91 100755
--- a/solr/bin/solr.cmd
+++ b/solr/bin/solr.cmd
@@ -994,7 +994,7 @@ set "EXAMPLE_DIR=%SOLR_TIP%\example"
 set TMP_SOLR_HOME=!SOLR_HOME:%EXAMPLE_DIR%=!
 IF NOT "%TMP_SOLR_HOME%"=="%SOLR_HOME%" (
   set "SOLR_LOGS_DIR=%SOLR_HOME%\..\logs"
-  set "LOG4J_CONFIG=file:///%SOLR_SERVER_DIR%\resources\log4j2.xml"
+  set "LOG4J_CONFIG=%SOLR_SERVER_DIR%\resources\log4j2.xml"
 )
 
 set IS_RESTART=0
@@ -1164,6 +1164,15 @@ IF "%ENABLE_REMOTE_JMX_OPTS%"=="true" (
   set REMOTE_JMX_OPTS=
 )
 
+REM Enable java security manager (limiting filesystem access and other things)
+REM Don't cache DNS lookups forever, set the value back to the original JDK default.
+IF "%SOLR_SECURITY_MANAGER_ENABLED%"=="true" (
+  set SECURITY_MANAGER_OPTS=-Djava.security.manager ^
+-Djava.security.policy="%SOLR_SERVER_DIR%\etc\security.policy" ^
+-Dsun.net.inetaddr.ttl=30 ^
+-Dsolr.internal.network.permission=*
+)
+
 IF NOT "%SOLR_HEAP%"=="" set SOLR_JAVA_MEM=-Xms%SOLR_HEAP% -Xmx%SOLR_HEAP%
 IF "%SOLR_JAVA_MEM%"=="" set SOLR_JAVA_MEM=-Xms512m -Xmx512m
 IF "%SOLR_JAVA_STACK_SIZE%"=="" set SOLR_JAVA_STACK_SIZE=-Xss256k
@@ -1255,6 +1264,7 @@ IF NOT "%REMOTE_JMX_OPTS%"=="" set "START_OPTS=%START_OPTS% %REMOTE_JMX_OPTS%"
 IF NOT "%SOLR_ADDL_ARGS%"=="" set "START_OPTS=%START_OPTS% %SOLR_ADDL_ARGS%"
 IF NOT "%SOLR_HOST_ARG%"=="" set "START_OPTS=%START_OPTS% %SOLR_HOST_ARG%"
 IF NOT "%SOLR_OPTS%"=="" set "START_OPTS=%START_OPTS% %SOLR_OPTS%"
+IF NOT "!SECURITY_MANAGER_OPTS!"=="" set "START_OPTS=%START_OPTS% !SECURITY_MANAGER_OPTS!"
 IF "%SOLR_SSL_ENABLED%"=="true" (
   set "SSL_PORT_PROP=-Dsolr.jetty.https.port=%SOLR_PORT%"
   set "START_OPTS=%START_OPTS% %SOLR_SSL_OPTS% !SSL_PORT_PROP!"
@@ -1266,7 +1276,7 @@ set SOLR_DATA_HOME_QUOTED="%SOLR_DATA_HOME%"
 
 set "START_OPTS=%START_OPTS% -Dsolr.log.dir=%SOLR_LOGS_DIR_QUOTED%"
 IF NOT "%SOLR_DATA_HOME%"=="" set "START_OPTS=%START_OPTS% -Dsolr.data.home=%SOLR_DATA_HOME_QUOTED%"
-IF NOT DEFINED LOG4J_CONFIG set "LOG4J_CONFIG=file:///%SOLR_SERVER_DIR%\resources\log4j2.xml"
+IF NOT DEFINED LOG4J_CONFIG set "LOG4J_CONFIG=%SOLR_SERVER_DIR%\resources\log4j2.xml"
 
 cd /d "%SOLR_SERVER_DIR%"
 
diff --git a/solr/bin/solr.in.cmd b/solr/bin/solr.in.cmd
index e462336..a3f22af 100755
--- a/solr/bin/solr.in.cmd
+++ b/solr/bin/solr.in.cmd
@@ -175,3 +175,8 @@ REM For a visual indication in the Admin UI of what type of environment this clu
 REM a -Dsolr.environment property below. Valid values are prod, stage, test, dev, with an optional
 REM label or color, e.g. -Dsolr.environment=test,label=Functional+test,color=brown
 REM SOLR_OPTS="$SOLR_OPTS -Dsolr.environment=prod"
+
+REM Runs solr in a java security manager sandbox. This can protect against some attacks.
+REM Runtime properties are passed to the security policy file (server\etc\security.policy)
+REM This is experimental! It may not work at all with HDFS.
+REM set SOLR_SECURITY_MANAGER_ENABLED=false
diff --git a/solr/server/etc/security.policy b/solr/server/etc/security.policy
index 73da119..bcf82b9 100644
--- a/solr/server/etc/security.policy
+++ b/solr/server/etc/security.policy
@@ -196,6 +196,8 @@ grant {
   permission java.io.FilePermission "${solr.log.dir}", "read,write,delete,readlink";
   permission java.io.FilePermission "${solr.log.dir}${/}-", "read,write,delete,readlink";
 
+  permission java.io.FilePermission "${log4j.configurationFile}", "read,write,delete,readlink";
+
   // expanded to a wildcard if set, allows all networking everywhere
   permission java.net.SocketPermission "${solr.internal.network.permission}", "accept,listen,connect,resolve";
 };