[jira] [Commented] (SOLR-8101) Installation script permission issues and other scripts fixes

[Shawn Heisey (JIRA)]

    [ 
https://issues.apache.org/jira/browse/SOLR-8101?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14935151#comment-14935151
 ] 

Shawn Heisey commented on SOLR-8101:
------------------------------------

I think it needs to look for the include script in the solr home first, for 
compatibility with existing installations.

If we want to avoid that because of the potential security implications, then 
we must have explicit upgrade instructions that discuss moving the include 
script and changing its permissions.  I would like to see an upgrade script 
that does all the heavy lifting for an upgrade, including looking for the 
include script in the solr home, moving it to /etc, renaming it, and setting 
the permissions.

> Installation script permission issues and other scripts fixes
> -------------------------------------------------------------
>
>                 Key: SOLR-8101
>                 URL: https://issues.apache.org/jira/browse/SOLR-8101
>             Project: Solr
>          Issue Type: Improvement
>          Components: scripts and tools
>    Affects Versions: 5.3.1
>            Reporter: Sergey Urushkin
>              Labels: patch, security
>         Attachments: solr-5.3.1.patch
>
>
> Until [https://issues.apache.org/jira/browse/SOLR-7871] is fixed, I suggest 
> to improve current shell scripts. Provided patch:
>   *  changes {{$SOLR_ENV}} default to {{/etc/default/$SOLR_SERVICE.in.sh}} . 
> This is *security* issue. If {{solr.in.sh}} is placed in directory which is 
> writable by {{$SOLR_USER}}, solr process is able to write to it, and than it 
> will be run by root on start/shutdown.
>   * changes permissions. {{$SOLR_USER}} should only be able to write to 
> {{$SOLR_VAR_DIR}} {{$SOLR_INSTALL_DIR/server/solr-webapp}} 
> {{$SOLR_INSTALL_DIR/server/logs}} . {{solr-webapp}} directory might be 
> inspected more. These directories should not be readable by other users as 
> they may contain personal information.
>   * sets {{$SOLR_USER}} home directory to {{$SOLR_VAR_DIR}} . As I can see 
> there is no need in {{/home/solr}} directory.
>   * adds quotes to unquoted variables
>   * adds leading zero to chmod commands
>   * removes group from chown commands (uses ":")
> Tested on ubuntu 14.04 amd64, but changes are pretty system-independent.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org