I would suggest enabling the whitelist by default, adding whatever classes OFBiz needs OOTB and then having a clear failure message in the logs when a custom class fails serialization. Would that work?
Regards Scott On 6/08/2016 23:13, "Jacques Le Roux" <[email protected]> wrote: > I'd not be against but we need to be clear while documenting that it's not > enough for security (when needed, users need to refer to the wiki page), a > white list is necessary (again only when needed, not OOTB) > > I guess (at least I hope for them) most sysadmin, devops are aware of the > possible issue, but simpler users need to be warned... > > Jacques > > Le 06/08/2016 à 12:49, Taher Alkhateeb a écrit : > >> Hi Jacques, >> >> As I referred to earlier I suggest the following: >> >> - remove ofbizSecure and ofbizBackgroundSecure >> - make all other server tasks secure by default (i.e. loading notsoserial >> and all other jvm args which are currently used in ofbizSecure). This >> means >> ofbiz, ofbizBackground and ofbizDebug >> - update the documentation so that users need not worry about calling any >> secure tasks. So they only need to do custom work such as the whitelist, >> etc ... >> >> I am not sure but I think there is no performance penalty right? That is >> why I suggest lumping them together. >> >> Taher Alkhateeb >> >> On Aug 6, 2016 11:40 AM, "Jacques Le Roux" <[email protected]> >> wrote: >> >> Le 06/08/2016 à 11:43, Taher Alkhateeb a écrit : >>> >>> Hi Jacques, >>>> >>>> I think that filling the white list ,etc ... might be something to keep >>>> in >>>> the page on securing OFBiz (documentation). >>>> >>>> I prefer to have a direct link to notsoserial documentation to be sure >>> it's up to date. That's what I did on the related wiki page >>> >>> I understand your point about >>> >>>> making it more "explicit" which makes sense, it has, however, the >>>> downside >>>> of making the users aware that there are different tasks to run, and >>>> also >>>> the rc scripts need to be modified to production and might be confusing >>>> (ofbiz, ofbizBackground, ofbizBackgroundSecure, ofbizSecure) might be >>>> too >>>> many options to choose from in a production environment. >>>> >>>> No strong opinion, but I am suggesting to make it a little easier for >>>> people with a less-is-more kind of approach. >>>> >>>> What would you suggest? It seems to me that removing these options would >>> degrade the information about rare but possible vulnerabilities >>> >>> Jacques >>> >>> >>> Taher Alkhateeb >>>> >>>> On Sat, Aug 6, 2016 at 11:44 AM, Jacques Le Roux < >>>> [email protected]> wrote: >>>> >>>> The idea is that by default the task does not do much. You have to >>>> follow >>>> >>>>> the advices they give to make it really effective (filling a white list >>>>> is >>>>> the better way) >>>>> >>>>> That's why I separated it from the rest to make it more obvious for >>>>> users. >>>>> >>>>> Currently "gradlew tasks" gives you this information >>>>> >>>>> Pattern: ofbizSecure <Commands>: Execute OFBiz startup commands >>>>> pre-loading the notsoserial Java agent >>>>> Pattern: ofbizBackgroundSecure <Commands>: Execute OFBiz startup >>>>> commands >>>>> in background (secure mode) and output to console.log >>>>> >>>>> Jacques >>>>> >>>>> >>>>> >>>>> Le 06/08/2016 à 03:33, Scott Gray a écrit : >>>>> >>>>> Why isn't whatever functionality 'ofbizSecure' provides, just included >>>>> as >>>>> >>>>>> part of the regular 'ofbiz' task? >>>>>> >>>>>> On 5 August 2016 at 21:35, Jacques Le Roux < >>>>>> [email protected]> >>>>>> wrote: >>>>>> >>>>>> Le 05/08/2016 à 11:21, Taher Alkhateeb a écrit : >>>>>> >>>>>> +1 makes sense >>>>>>> >>>>>>> Should we also remove the tasks ofbizSecure and ofbizBackgroundSecure >>>>>>>> and >>>>>>>> replace them with some scripts in /tools if people are not using >>>>>>>> them? >>>>>>>> (I >>>>>>>> assume we only use them with demos?) >>>>>>>> >>>>>>>> On Aug 5, 2016 10:07 AM, "Jacques Le Roux"<jacques.le.roux@les7arts >>>>>>>> .com >>>>>>>> wrote: >>>>>>>> >>>>>>>> Nope, those are intended to be used in production if ever you need >>>>>>>> it. >>>>>>>> >>>>>>>> See the warning there https://cwiki.apache.org/confl >>>>>>> uence/display/OFBIZ/Keeping+OFBiz+secure for details >>>>>>> >>>>>>> Jacques >>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> >
