[
https://issues.apache.org/jira/browse/SOLR-10644?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16007110#comment-16007110
]
Jan Høydahl commented on SOLR-10644:
------------------------------------
Good point. Let's keep it root owned. But can we make it "solr" readable
without also being readable to the world (given that the file may contain
passwords)? We could do:
{noformat}
chown root:${SOLR_USER} "/etc/default/$SOLR_SERVICE.in.sh"
chmod 0640 "/etc/default/$SOLR_SERVICE.in.sh"
{noformat}
This would produce
{noformat}
-rw-r----- 1 root solr 5968 Feb 15 14:55 /etc/default/solr.in.sh
{noformat}
This will only work if the usergroup with same name is there, which I believe
is default on Debian based systems at least...
> solr.in.sh installed by install script should be writable by solr user
> ----------------------------------------------------------------------
>
> Key: SOLR-10644
> URL: https://issues.apache.org/jira/browse/SOLR-10644
> Project: Solr
> Issue Type: Improvement
> Security Level: Public(Default Security Level. Issues are Public)
> Components: scripts and tools
> Reporter: Jan Høydahl
> Assignee: Jan Høydahl
> Fix For: 6.6, master (7.0)
>
> Attachments: SOLR-10644.patch
>
>
> Spinoff from SOLR-8440
> {{install_solr_service.sh}} installs {{solr.in.sh}} as world-readable but not
> solr user writable:
> {noformat}
> -rw-r--r-- 1 root root 5968 Feb 15 14:55 /etc/default/solr.in.sh
> {noformat}
> For better security, and ease for scripts to update solr.in.sh, this should
> change to:
> {noformat}
> -rw-rw---- 1 root solr 5968 Feb 15 14:55 /etc/default/solr.in.sh
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
