You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@lucene.apache.org by "Jan Høydahl (JIRA)" <ji...@apache.org> on 2018/10/04 08:02:00 UTC

[jira] [Commented] (SOLR-10648) Do not expose STOP.PORT and STOP.KEY in sysProps

    [ https://issues.apache.org/jira/browse/SOLR-10648?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16637916#comment-16637916 ] 

Jan Høydahl commented on SOLR-10648:
------------------------------------

Also, the install script could by default generate a random {{STOP.KEY}} and put that in {{solr.in.sh}}, so that prod setups do not share the default {{solrrocks}} key.
{quote}These two mechanisms should at least be made aware of each other, eg. the metrics could both filter out "hidden" sysprops, as well as redact those in listed in {{RedactionUtils}}.
{quote}
This is perhaps for another Jira issue, but should not the solr.xml configurable list be owned by RedactionUtils and not Metrics module? Then the metrics code can talk to RedactionUtils?

> Do not expose STOP.PORT and STOP.KEY in sysProps
> ------------------------------------------------
>
>                 Key: SOLR-10648
>                 URL: https://issues.apache.org/jira/browse/SOLR-10648
>             Project: Solr
>          Issue Type: Improvement
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: scripts and tools
>            Reporter: Jan Høydahl
>            Priority: Major
>              Labels: security
>
> Currently anyone with HTTP access to Solr can see the Admin UI and all the system properties. In there you find
> {noformat}
> -DSTOP.KEY=solrrocks
> -DSTOP.PORT=7983
> {noformat}
> This means that anyone with this info can shut down Solr by hitting that port with the key (if it is not firewalled).
> I think the simple solution is to add STOP.PORT and STOP.KEY from {{$SOLR_START_OPTS}} to the {{$SOLR_JETTY_CONFIG[@]}} variable. It will still be visible on the cmdline but not over HTTP.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org