Created attachment 917021 [details] Server's log file Description of problem: The server allows a CLI script notification, whose source code shuts down the server, to bu executed as a response to fired alert. According to the product documentation this should be prevented: "Another common issue is that a JBoss ON server cannot run a restart operation on itself." Content of the script: java.lang.System.exit(0); Version-Release number of selected component (if applicable): RHQ 4.12-SNAPSHOT (7bf3544) How reproducible: always Steps to Reproduce: 1. Create a new content repository (Administration -> Repositories -> Create New -> give it arbitrary name -> save) 2. Create a new alert for the server's platform, in Notifications tab choose CLI script as Notification sender 3. Upload script 'stopjon.js' (see attachment) 4. Wait until the alert is fired. Actual results: The server executes the CLI script and shuts down. Expected results: The server prevents this script from being executed. Additional info: Exceptions are logged in the 'server.log' file after the alert is fired (see attachment)
Created attachment 917022 [details] CLI script to stop JON server
due to problems in EAP 6.3.alpha, we turned off the security manager. In fact, Alan S. was OK with this - he didn't want the security manager turned on in the first place :)
John correct me if I'm wrong. Aiui - this is only the case for users who have permission to execute scripts. Access to this can be controlled using the existing role based access control.
Yes, only those who have access to execute CLI scripts (or have access to create alert definitions with those CLI scripts as alert notificatons) can do this. Lukas can provide more details on the CLI script stuff - he worked closely with the security manager stuff and the whole "prohibit CLI scripts from executing System.exit" thing.
So, I think this should be closed/not a bug?
So is this server's behviour considered to be correct and expected? If yes, this BZ can be closed.
Heiko, a possible closer...
Actually I am turnng that into a docs bug (and the RHQ docs may need updating too ?), as we a) need to update docs to tell that the security manager is now off ( -> Release notes) b) explain how to turn it on again in cases where people insist on it. As far as I understand the issues that led to turning it off are not in 6.3.GA, but only Alpha
(In reply to Heiko W. Rupp from comment #8) > Actually I am turnng that into a docs bug (and the RHQ docs may need > updating too ?), > as we > a) need to update docs to tell that the security manager is now off ( -> > Release notes) > b) explain how to turn it on again in cases where people insist on it. > > As far as I understand the issues that led to turning it off are not in > 6.3.GA, but only Alpha I can craft a release note that covers both scenarios.
Thanks to Heiko's text, this is ready for inclusion in the Release Notes.