rmuir commented on a change in pull request #1082: SOLR-13984: add
(experimental, disabled by default) security manager support
URL: https://github.com/apache/lucene-solr/pull/1082#discussion_r360649127
##########
File path: solr/bin/solr
##########
@@ -2071,6 +2071,17 @@ else
REMOTE_JMX_OPTS=()
fi
+# Enable java security manager (limiting filesystem access and other things)
+# Don't cache DNS lookups forever, set the value back to the original JDK
default.
+if [ "$SOLR_SECURITY_MANAGER_ENABLED" == "true" ]; then
+ SECURITY_MANAGER_OPTS=('-Djava.security.manager' \
+ "-Djava.security.policy=${SOLR_SERVER_DIR}/etc/security.policy" \
+ '-Dsun.net.inetaddr.ttl=30' \
Review comment:
> Shouldn't this be configurable by the user? Perhaps we keep this default
but make it configurable with a SOLR_NETWORKADDRESS_CACHE_TTL variable.
It is not configurable today: I'm not trying to add that feature here. I am
just preventing dns from cached indefinitely.
> Although most (all?) JVMs still honor the sun.net.inetaddr.ttl but it is
officially deprecated so we should use -Dnetworkaddress.cache.ttl
nope: `networkaddress.cache.ttl` is not a system property at all.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org
