[
https://issues.apache.org/jira/browse/SOLR-10644?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jan Høydahl reopened SOLR-10644:
--------------------------------
Reopening...
That's why I opened SOLR-10646, to avoid putting at least basic auth pwd on the
command line. But then it turns out that kerberos mode needs them...
I know there are other efforts under way to secure other passwords better, so
perhaps we'll at some point get rid of pws both in solr.in and in cmdline.
An option someone proposed was to pass passwords through shell env variables
but *not* as Java Option. That way it is not visible in ps, but Solr could
still read the variable with {{System.getenv()}}... In that case it could make
sense to have password in a {{o-rwx}} solr.in.sh file?
> solr.in.sh installed by install script should be writable by solr user
> ----------------------------------------------------------------------
>
> Key: SOLR-10644
> URL: https://issues.apache.org/jira/browse/SOLR-10644
> Project: Solr
> Issue Type: Improvement
> Security Level: Public(Default Security Level. Issues are Public)
> Components: scripts and tools
> Reporter: Jan Høydahl
> Assignee: Jan Høydahl
> Fix For: 6.6, master (7.0)
>
> Attachments: SOLR-10644.patch
>
>
> Spinoff from SOLR-8440
> {{install_solr_service.sh}} installs {{solr.in.sh}} as world-readable but not
> solr user writable:
> {noformat}
> -rw-r--r-- 1 root root 5968 Feb 15 14:55 /etc/default/solr.in.sh
> {noformat}
> For better security, and ease for scripts to update solr.in.sh, this should
> change to:
> {noformat}
> -rw-rw---- 1 root solr 5968 Feb 15 14:55 /etc/default/solr.in.sh
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
