[jira] [Commented] (SOLR-14585) Check the current user in SysV init script
[ https://issues.apache.org/jira/browse/SOLR-14585?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17147441#comment-17147441 ] Roman Kosenko commented on SOLR-14585: -- [~cpoerschke], I've added some comments - see the following pull request: [https://github.com/apache/lucene-solr/pull/1627] BTW, this change is not in `bin/solr` script. It is in `bin/init.d/solr` - this is just example SysV init script that executes `bin/solr` under the hood. > Check the current user in SysV init script > -- > > Key: SOLR-14585 > URL: https://issues.apache.org/jira/browse/SOLR-14585 > Project: Solr > Issue Type: Bug > Security Level: Public(Default Security Level. Issues are Public) > Components: scripts and tools >Affects Versions: 8.5.2 >Reporter: Roman Kosenko >Priority: Minor > Labels: sysinit, systemd > Attachments: init.d-solr.diff > > Time Spent: 10m > Remaining Estimate: 0h > > While SOLR-14410 is still open I propose a quick fix/improvement for init.d > script - check the current user and, if it is the same as RUNAS user, then > don't execute "su". > > Background: > Systemd has backward compatibility with SysV and able to run scripts from > /etc/init.d, but SELinux policies in many distros encourage changing user > before this stage and prohibits executing of "su" binary, so it would be > logical to do this at systemd level > (/etc/systemd/system/solr.service.d/override.conf). In this case, the current > init.d script for Solr is missing one very trivial check - `"$RUNAS" != > "$USER"`. See the diff-file in the attachment. > > Pull request: https://github.com/apache/lucene-solr/pull/1627 -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org
[jira] [Commented] (SOLR-14585) Check the current user in SysV init script
[ https://issues.apache.org/jira/browse/SOLR-14585?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17146465#comment-17146465 ] Christine Poerschke commented on SOLR-14585: Hmm, not familiar with this way of invoking the {{bin/solr}} script, sorry. Curious if it would be helpful to document the non-{{su}} in this scenario somehow in the script (beyond the code change) and/or whether or not something about it would be appropriate in the upgrade notes? > Check the current user in SysV init script > -- > > Key: SOLR-14585 > URL: https://issues.apache.org/jira/browse/SOLR-14585 > Project: Solr > Issue Type: Bug > Security Level: Public(Default Security Level. Issues are Public) > Components: scripts and tools >Affects Versions: 8.5.2 >Reporter: Roman Kosenko >Priority: Minor > Labels: sysinit, systemd > Attachments: init.d-solr.diff > > > While SOLR-14410 is still open I propose a quick fix/improvement for init.d > script - check the current user and, if it is the same as RUNAS user, then > don't execute "su". > > Background: > Systemd has backward compatibility with SysV and able to run scripts from > /etc/init.d, but SELinux policies in many distros encourage changing user > before this stage and prohibits executing of "su" binary, so it would be > logical to do this at systemd level > (/etc/systemd/system/solr.service.d/override.conf). In this case, the current > init.d script for Solr is missing one very trivial check - `"$RUNAS" != > "$USER"`. See the diff-file in the attachment. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org
[jira] [Commented] (SOLR-14585) Check the current user in SysV init script
[ https://issues.apache.org/jira/browse/SOLR-14585?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17146304#comment-17146304 ] Mikhail Khludnev commented on SOLR-14585: - [~cpoerschke], WDYT? > Check the current user in SysV init script > -- > > Key: SOLR-14585 > URL: https://issues.apache.org/jira/browse/SOLR-14585 > Project: Solr > Issue Type: Bug > Security Level: Public(Default Security Level. Issues are Public) > Components: scripts and tools >Affects Versions: 8.5.2 >Reporter: Roman Kosenko >Priority: Minor > Labels: sysinit, systemd > Attachments: init.d-solr.diff > > > While SOLR-14410 is still open I propose a quick fix/improvement for init.d > script - check the current user and, if it is the same as RUNAS user, then > don't execute "su". > > Background: > Systemd has backward compatibility with SysV and able to run scripts from > /etc/init.d, but SELinux policies in many distros encourage changing user > before this stage and prohibits executing of "su" binary, so it would be > logical to do this at systemd level > (/etc/systemd/system/solr.service.d/override.conf). In this case, the current > init.d script for Solr is missing one very trivial check - `"$RUNAS" != > "$USER"`. See the diff-file in the attachment. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org
[jira] [Commented] (SOLR-14585) Check the current user in SysV init script
[ https://issues.apache.org/jira/browse/SOLR-14585?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17144675#comment-17144675 ] Mikhail Khludnev commented on SOLR-14585: - I'm happy to merge this oneliner if we have another pair of eyes confirming that it doesn't hurt. > Check the current user in SysV init script > -- > > Key: SOLR-14585 > URL: https://issues.apache.org/jira/browse/SOLR-14585 > Project: Solr > Issue Type: Bug > Security Level: Public(Default Security Level. Issues are Public) > Components: scripts and tools >Affects Versions: 8.5.2 >Reporter: Roman Kosenko >Priority: Minor > Labels: sysinit, systemd > Attachments: init.d-solr.diff > > > While SOLR-14410 is still open I propose a quick fix/improvement for init.d > script - check the current user and, if it is the same as RUNAS user, then > don't execute "su". > > Background: > Systemd has backward compatibility with SysV and able to run scripts from > /etc/init.d, but SELinux policies in many distros encourage changing user > before this stage and prohibits executing of "su" binary, so it would be > logical to do this at systemd level > (/etc/systemd/system/solr.service.d/override.conf). In this case, the current > init.d script for Solr is missing one very trivial check - `"$RUNAS" != > "$USER"`. See the diff-file in the attachment. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org For additional commands, e-mail: issues-h...@lucene.apache.org