Le 06/08/2016 à 11:43, Taher Alkhateeb a écrit :
Hi Jacques,
I think that filling the white list ,etc ... might be something to keep in
the page on securing OFBiz (documentation).
I prefer to have a direct link to notsoserial documentation to be sure it's up
to date. That's what I did on the related wiki page
I understand your point about
making it more "explicit" which makes sense, it has, however, the downside
of making the users aware that there are different tasks to run, and also
the rc scripts need to be modified to production and might be confusing
(ofbiz, ofbizBackground, ofbizBackgroundSecure, ofbizSecure) might be too
many options to choose from in a production environment.
No strong opinion, but I am suggesting to make it a little easier for
people with a less-is-more kind of approach.
What would you suggest? It seems to me that removing these options would
degrade the information about rare but possible vulnerabilities
Jacques
Taher Alkhateeb
On Sat, Aug 6, 2016 at 11:44 AM, Jacques Le Roux <
[email protected]> wrote:
The idea is that by default the task does not do much. You have to follow
the advices they give to make it really effective (filling a white list is
the better way)
That's why I separated it from the rest to make it more obvious for users.
Currently "gradlew tasks" gives you this information
Pattern: ofbizSecure <Commands>: Execute OFBiz startup commands
pre-loading the notsoserial Java agent
Pattern: ofbizBackgroundSecure <Commands>: Execute OFBiz startup commands
in background (secure mode) and output to console.log
Jacques
Le 06/08/2016 à 03:33, Scott Gray a écrit :
Why isn't whatever functionality 'ofbizSecure' provides, just included as
part of the regular 'ofbiz' task?
On 5 August 2016 at 21:35, Jacques Le Roux <[email protected]>
wrote:
Le 05/08/2016 à 11:21, Taher Alkhateeb a écrit :
+1 makes sense
Should we also remove the tasks ofbizSecure and ofbizBackgroundSecure
and
replace them with some scripts in /tools if people are not using them?
(I
assume we only use them with demos?)
On Aug 5, 2016 10:07 AM, "Jacques Le Roux"<[email protected]
wrote:
Nope, those are intended to be used in production if ever you need it.
See the warning there https://cwiki.apache.org/confl
uence/display/OFBIZ/Keeping+OFBiz+secure for details
Jacques
