Benoit Tellier created JAMES-3881:
-------------------------------------
Summary: Set a JMX password
Key: JAMES-3881
URL: https://issues.apache.org/jira/browse/JAMES-3881
Project: James Server
Issue Type: Improvement
Components: JMX
Affects Versions: 3.7.0
Reporter: Benoit Tellier
Fix For: 3.8.0
h2. Why ?
JMX is inherently insecure and it's usage can allow local non-root user, as
they can access port 9999, to escalate their privileges.
h2. How? Solution summary
Set up JMX authentication: local users won't know which password to use
(password file only readable to james user).
Generate JMX credentials on the fly so that we can activate JMX authentication
by default without shipping some default credentials for it.
h2. How? Solution details
Try the
`-Dcom.sun.management.jmxremote.password.file=/root/conf/jmxremote.password`
JVM parameter.
Content of `jmxremote.password``:
{code:java}
admin magicpass
{code}
Modify the CLI code to take an optional username, optional password:
- [ ] if username and password is unspecified, then use none
- [ ] if only password is specified, default to `james-admin` username.
- [ ] if only username is specified, prompt the user to enter a password.
{code:java}
java -cp /root/resources:/root/classes:/root/libs/*
org.apache.james.cli.ServerCmd
-username james-admin
-password p4$$w0rD
{code}
Specify the configured username and password when establishing the JMX
connection.
BONUS: if no username / password is specified, attempt to read
`conf/jmxremote.password` and see its content to use the configured username +
password. Default to none only if this file cannot be found. This ensure no
changes in the docker containers james-cli script.
BONUS x 2: When James starts, generate randomly `jmxremote.password` (fixed
username, default password) if none exists. This makes the default package of
james secure (no usage of hardcoded credential, a user do not need to change
something to make this secure). Plan a system property to disable this
behaviour `-Djames.jmx.credential.generation=true|false`.
- [ ] Set up JMX authentication in the default applications with a DUMMY
passwor (`jmxremote.password` only readable to the james user)
- [ ] Document setting up authentication for JMX. Explain in security
guidelines that JMX auth can prevent privilege escalation.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org
