[ 
https://issues.apache.org/jira/browse/JAMES-3881?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Benoit Tellier closed JAMES-3881.
---------------------------------
    Fix Version/s: 3.7.4
       Resolution: Fixed

> Set a JMX password
> ------------------
>
>                 Key: JAMES-3881
>                 URL: https://issues.apache.org/jira/browse/JAMES-3881
>             Project: James Server
>          Issue Type: Improvement
>          Components: JMX
>    Affects Versions: 3.7.0
>            Reporter: Benoit Tellier
>            Priority: Major
>              Labels: security
>             Fix For: 3.8.0, 3.7.4
>
>          Time Spent: 3h 40m
>  Remaining Estimate: 0h
>
> h2. Why ?
> JMX is inherently insecure and it's usage can allow local non-root user, as 
> they can access port 9999, to escalate their privileges.
> h2. How? Solution summary
> Set up JMX authentication: local users won't know which password to use 
> (password file only readable to james user).
> Generate JMX credentials on the fly so that we can activate JMX 
> authentication by default without shipping some default credentials for it.
> h2. How? Solution details
> Try the 
> `-Dcom.sun.management.jmxremote.password.file=/root/conf/jmxremote.password` 
> JVM parameter.
> Content of `jmxremote.password``:
> {code:java}
> admin magicpass
> {code}
> Modify the CLI code to take an optional username, optional password:
>  - [ ] if username and password is unspecified, then use none
>  - [ ] if only password is specified, default to `james-admin` username.
>  - [ ] if only username is specified, prompt the user to enter a password.
> {code:java}
> java -cp /root/resources:/root/classes:/root/libs/* 
> org.apache.james.cli.ServerCmd 
>    -username james-admin
>    -password p4$$w0rD
> {code}
> Specify the configured username and password when establishing the JMX 
> connection.
> BONUS: if no username / password is specified, attempt to read 
> `conf/jmxremote.password` and see its content to use the configured username 
> + password. Default to none only if this file cannot be found. This ensure no 
> changes in the docker containers james-cli script.
> BONUS x 2: When James starts, generate randomly `jmxremote.password` (fixed 
> username, default password) if none exists. This makes the default package of 
> james secure (no usage of hardcoded credential, a user do not need to change 
> something to make this secure). Plan a system property to disable this 
> behaviour `-Djames.jmx.credential.generation=true|false`.
>  - [ ] Set up JMX authentication in the default applications with a DUMMY 
> passwor (`jmxremote.password` only readable to the james user)
>  - [ ] Document setting up authentication for JMX. Explain in security 
> guidelines that JMX auth can prevent privilege escalation.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org

Reply via email to