Bug 1118224
Summary: | Server can be shut down using CLI script notification invoked by fired alert | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [JBoss] JBoss Operations Network | Reporter: | Jan Bednarik <jbednari> | ||||||
Component: | Documentation | Assignee: | Jared MORGAN <jmorgan> | ||||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | Mike Foley <mfoley> | ||||||
Severity: | high | Docs Contact: | Jared MORGAN <jmorgan> | ||||||
Priority: | unspecified | ||||||||
Version: | JON 3.2.2 | CC: | asantos, hrupp, jshaughn, mazz, mkoci, mmurray, snegrea, tsegismo | ||||||
Target Milestone: | GA | Keywords: | Documentation | ||||||
Target Release: | JON 3.3.0 | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Unspecified | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: |
The server allowed a CLI script notification to be executed as a response to a fired alert.
Users who had permission to execute scripts on the server could shut down the server using this method. To prevent this from happening, older versions of the product had the Java security manager turned on. Unfortunately this created a larger performance impact than originally estimated. The security manager is now turned off by default for this reason. To turn the security manager back on again, remove the 3 'X' in -DXXXjava.security.manager in the file bin/internal/rhq-server.{sh,bat} and restart the server.
|
Story Points: | --- | ||||||
Clone Of: | Environment: |
[Release_Notes]
|
|||||||
Last Closed: | 2014-12-11 14:04:59 UTC | Type: | Bug | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Created attachment 917022 [details]
CLI script to stop JON server
due to problems in EAP 6.3.alpha, we turned off the security manager. In fact, Alan S. was OK with this - he didn't want the security manager turned on in the first place :) John correct me if I'm wrong. Aiui - this is only the case for users who have permission to execute scripts. Access to this can be controlled using the existing role based access control. Yes, only those who have access to execute CLI scripts (or have access to create alert definitions with those CLI scripts as alert notificatons) can do this. Lukas can provide more details on the CLI script stuff - he worked closely with the security manager stuff and the whole "prohibit CLI scripts from executing System.exit" thing. So, I think this should be closed/not a bug? So is this server's behviour considered to be correct and expected? If yes, this BZ can be closed. Heiko, a possible closer... Actually I am turnng that into a docs bug (and the RHQ docs may need updating too ?), as we a) need to update docs to tell that the security manager is now off ( -> Release notes) b) explain how to turn it on again in cases where people insist on it. As far as I understand the issues that led to turning it off are not in 6.3.GA, but only Alpha (In reply to Heiko W. Rupp from comment #8) > Actually I am turnng that into a docs bug (and the RHQ docs may need > updating too ?), > as we > a) need to update docs to tell that the security manager is now off ( -> > Release notes) > b) explain how to turn it on again in cases where people insist on it. > > As far as I understand the issues that led to turning it off are not in > 6.3.GA, but only Alpha I can craft a release note that covers both scenarios. Thanks to Heiko's text, this is ready for inclusion in the Release Notes. |
Created attachment 917021 [details] Server's log file Description of problem: The server allows a CLI script notification, whose source code shuts down the server, to bu executed as a response to fired alert. According to the product documentation this should be prevented: "Another common issue is that a JBoss ON server cannot run a restart operation on itself." Content of the script: java.lang.System.exit(0); Version-Release number of selected component (if applicable): RHQ 4.12-SNAPSHOT (7bf3544) How reproducible: always Steps to Reproduce: 1. Create a new content repository (Administration -> Repositories -> Create New -> give it arbitrary name -> save) 2. Create a new alert for the server's platform, in Notifications tab choose CLI script as Notification sender 3. Upload script 'stopjon.js' (see attachment) 4. Wait until the alert is fired. Actual results: The server executes the CLI script and shuts down. Expected results: The server prevents this script from being executed. Additional info: Exceptions are logged in the 'server.log' file after the alert is fired (see attachment)