[
https://issues.apache.org/jira/browse/JAMES-3881?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17693485#comment-17693485
]
Benoit Tellier commented on JAMES-3881:
---------------------------------------
Main fix still needs a backport to 3.7.4 ...
> Set a JMX password
> ------------------
>
> Key: JAMES-3881
> URL: https://issues.apache.org/jira/browse/JAMES-3881
> Project: James Server
> Issue Type: Improvement
> Components: JMX
> Affects Versions: 3.7.0
> Reporter: Benoit Tellier
> Priority: Major
> Labels: security
> Fix For: 3.8.0
>
> Time Spent: 2h 50m
> Remaining Estimate: 0h
>
> h2. Why ?
> JMX is inherently insecure and it's usage can allow local non-root user, as
> they can access port 9999, to escalate their privileges.
> h2. How? Solution summary
> Set up JMX authentication: local users won't know which password to use
> (password file only readable to james user).
> Generate JMX credentials on the fly so that we can activate JMX
> authentication by default without shipping some default credentials for it.
> h2. How? Solution details
> Try the
> `-Dcom.sun.management.jmxremote.password.file=/root/conf/jmxremote.password`
> JVM parameter.
> Content of `jmxremote.password``:
> {code:java}
> admin magicpass
> {code}
> Modify the CLI code to take an optional username, optional password:
> - [ ] if username and password is unspecified, then use none
> - [ ] if only password is specified, default to `james-admin` username.
> - [ ] if only username is specified, prompt the user to enter a password.
> {code:java}
> java -cp /root/resources:/root/classes:/root/libs/*
> org.apache.james.cli.ServerCmd
> -username james-admin
> -password p4$$w0rD
> {code}
> Specify the configured username and password when establishing the JMX
> connection.
> BONUS: if no username / password is specified, attempt to read
> `conf/jmxremote.password` and see its content to use the configured username
> + password. Default to none only if this file cannot be found. This ensure no
> changes in the docker containers james-cli script.
> BONUS x 2: When James starts, generate randomly `jmxremote.password` (fixed
> username, default password) if none exists. This makes the default package of
> james secure (no usage of hardcoded credential, a user do not need to change
> something to make this secure). Plan a system property to disable this
> behaviour `-Djames.jmx.credential.generation=true|false`.
> - [ ] Set up JMX authentication in the default applications with a DUMMY
> passwor (`jmxremote.password` only readable to the james user)
> - [ ] Document setting up authentication for JMX. Explain in security
> guidelines that JMX auth can prevent privilege escalation.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org
