Bug 1118224 - Server can be shut down using CLI script notification invoked by fired alert
Summary: Server can be shut down using CLI script notification invoked by fired alert
Status: CLOSED CURRENTRELEASE
Alias: None
Product: JBoss Operations Network
Classification: JBoss
Component: Documentation
Version: JON 3.2.2
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: GA
: JON 3.3.0
Assignee: Jared MORGAN
QA Contact: Mike Foley
Jared MORGAN
URL:
Whiteboard:
Keywords: Documentation
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-07-10 08:48 UTC by Jan Bednarik
Modified: 2015-08-10 01:24 UTC (History)
8 users (show)

(edit)
The server allowed a CLI script notification to be executed as a response to a fired alert.
Users who had permission to execute scripts on the server could shut down the server using this method. To prevent this from happening, older versions of the product had the Java security manager turned on. Unfortunately this created a larger performance impact than originally estimated. The security manager is now turned off by default for this reason. To turn the security manager back on again, remove the 3 'X' in -DXXXjava.security.manager in the file bin/internal/rhq-server.{sh,bat} and restart the server.
Clone Of:
(edit)
[Release_Notes]
Last Closed: 2014-12-11 14:04:59 UTC


Attachments (Terms of Use)
Server's log file (56.56 KB, text/x-log)
2014-07-10 08:48 UTC, Jan Bednarik
no flags Details
CLI script to stop JON server (26 bytes, application/javascript)
2014-07-10 08:49 UTC, Jan Bednarik
no flags Details

Description Jan Bednarik 2014-07-10 08:48:21 UTC
Created attachment 917021 [details]
Server's log file

Description of problem:
The server allows a CLI script notification, whose source code shuts down the server, to bu executed as a response to fired alert. According to the product documentation this should be prevented: "Another common issue is that a JBoss ON server cannot run a restart operation on itself."

Content of the script:

java.lang.System.exit(0);

Version-Release number of selected component (if applicable):
RHQ 4.12-SNAPSHOT (7bf3544)

How reproducible:
always

Steps to Reproduce:
1. Create a new content repository (Administration -> Repositories -> Create New -> give it arbitrary name -> save)
2. Create a new alert for the server's platform, in Notifications tab choose CLI script as Notification sender
3. Upload script 'stopjon.js' (see attachment)
4. Wait until the alert is fired.

Actual results:
The server executes the CLI script and shuts down.

Expected results:
The server prevents this script from being executed.

Additional info:
Exceptions are logged in the 'server.log' file after the alert is fired (see attachment)

Comment 1 Jan Bednarik 2014-07-10 08:49:43 UTC
Created attachment 917022 [details]
CLI script to stop JON server

Comment 2 John Mazzitelli 2014-07-14 15:35:18 UTC
due to problems in EAP 6.3.alpha, we turned off the security manager. In fact, Alan S. was OK with this - he didn't want the security manager turned on in the first place :)

Comment 3 Alan Santos 2014-07-14 19:55:35 UTC
John correct me if I'm wrong. Aiui - this is only the case for users who have permission to execute scripts. Access to this can be controlled using the existing role based access control.

Comment 4 John Mazzitelli 2014-07-14 20:00:31 UTC
Yes, only those who have access to execute CLI scripts (or have access to create alert definitions with those CLI scripts as alert notificatons) can do this.

Lukas can provide more details on the CLI script stuff - he worked closely with the security manager stuff and the whole "prohibit CLI scripts from executing System.exit" thing.

Comment 5 Jay Shaughnessy 2014-07-22 19:09:52 UTC
So, I think this should be closed/not a bug?

Comment 6 Jan Bednarik 2014-07-23 06:41:45 UTC
So is this server's behviour considered to be correct and expected? If yes, this BZ can be closed.

Comment 7 Jay Shaughnessy 2014-07-23 15:11:58 UTC
Heiko, a possible closer...

Comment 8 Heiko W. Rupp 2014-07-23 16:10:47 UTC
Actually I am turnng that into a docs bug (and the RHQ docs may need updating too ?),
as we 
a) need to update docs to tell that the security manager is now off ( -> Release notes)
b) explain how to turn it on again in cases where people insist on it.

As far as I understand the issues that led to turning it off are not in 6.3.GA, but only Alpha

Comment 12 Jared MORGAN 2014-10-07 00:13:19 UTC
(In reply to Heiko W. Rupp from comment #8)
> Actually I am turnng that into a docs bug (and the RHQ docs may need
> updating too ?),
> as we 
> a) need to update docs to tell that the security manager is now off ( ->
> Release notes)
> b) explain how to turn it on again in cases where people insist on it.
> 
> As far as I understand the issues that led to turning it off are not in
> 6.3.GA, but only Alpha

I can craft a release note that covers both scenarios.

Comment 14 Jared MORGAN 2014-11-12 05:31:30 UTC
Thanks to Heiko's text, this is ready for inclusion in the Release Notes.


Note You need to log in before you can comment on or make changes to this bug.