Anyone who is managing their network from outside of the firewall really
needs to be conscious of security exposures and should only allow access
to the console with the ssl transport (https) and user authentication
(hopefully with something other than system/manager). We should add
this to our security and admin console documentation.
I think the admin console should allow updates to JVM properties.. In
fact, perhaps even add some input fields for some of the common
parameters that Cristian mentioned in his original post.
-Dave-
Paul McMahan wrote:
I definitely like the idea of adding this type of functionality to the
admin console. A section of setenv.sh/bat could be designated to JVM
variables settable via the admin console. And by surrounding that
section with proper annotation we could probably avoid confusing the
user as to what gets set by whom and when. However, my spidey sense
starts tingling when I think about accepting input from outside the
machine (and potentially outside the firewall) that is placed directly
into an script that may be executed with root/admin privileges. No
matter how carefully we sanitize the input some clever person may figure
out some new fangled way to sneak a newline through or some such
mischief. Perhaps there is a way to change (at least some of) the
properties of the JVM *after* it has been executed from the command
line? But now we're back to allowing properties to be set in two places
again, doh! :-)
Best wishes,
Paul
On 1/18/06, *John Sisson* < [EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]>> wrote:
The geronimo.sh/bat startup script will execute a setenv.sh/bat file if
it is present. See the comments at the bottom of the comment header for
geronimo.sh/bat.
For example, the setenv.sh/bat files can set the GERONIMO_OPTS
environment variable to change the JVM options.
We would want to avoid having two places that JVM options are configured
as that would be confusing and make Geronimo more difficult to support.
Maybe the console could have a page that allows you to
add/update/delete
environment variables, which results in the appropriate modifications to
the setenv.sh and setenv.bat files. It would need to be careful with
updating/deleting environment variables, as a user may have inserted
some logic in the script before the environment variable is set (or the
environment variable could be in a number of places in the script due to
logic). Maybe the console would need to detect whether the script has
anything other than the simple setting of environment variables and if
so, prevents you from editing it from the console.
It would be interesting to hear from others whether they think it is a
security issue allowing the console to edit bat/sh startup script files
(could malicious commands be inserted into the startup scripts).
John
