OFBiz OFBiz - Dev

-Dofbiz.admin.key=random-string

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Adam Heath-2
Reply | Threaded
Open this post in threaded view
|

-Dofbiz.admin.key=random-string

Adam Heath-2
Specifying this on the command during ofbiz startup is a security
problem.  Anyone could then connect to the port, and issue commands to
ofbiz(mostly, stop, which would be a DoS-type problem).

I'm thinking about a
-Dsystem.props=/path/to/file/with/system/properties kinda thing, with
permissions set so that non-ofbiz users can't read it.  This would
close this particular hole.

If I do that, would it be something accepted for the release branch?
Obviously, I'd need to create the fix/patch first.
BJ Freeman
Reply | Threaded
Open this post in threaded view
|

Re: -Dofbiz.admin.key=random-string

BJ Freeman
only works on linux systems
does not cover windows servers.

Adam Heath sent the following on 4/17/2009 4:43 PM:

> Specifying this on the command during ofbiz startup is a security
> problem.  Anyone could then connect to the port, and issue commands to
> ofbiz(mostly, stop, which would be a DoS-type problem).
>
> I'm thinking about a
> -Dsystem.props=/path/to/file/with/system/properties kinda thing, with
> permissions set so that non-ofbiz users can't read it.  This would
> close this particular hole.
>
> If I do that, would it be something accepted for the release branch?
> Obviously, I'd need to create the fix/patch first.
>
>
Adam Heath-2
Reply | Threaded
Open this post in threaded view
|

Re: -Dofbiz.admin.key=random-string

Adam Heath-2
BJ Freeman wrote:
> only works on linux systems
> does not cover windows servers.

Works everywhere.  The path given on the command line is just read
from, so whatever system policy is in use for specifing file names
should just work.

I'm not saying we would nescessarily set it to something, but just
saying the feature should be added.

See revision 766193.

java -jar ofbiz.jar -Dofbiz.system.props=/path/to/file or "c:\Program
Files\OfBiz\file" or whatever.


BJ Freeman
Reply | Threaded
Open this post in threaded view
|

Re: -Dofbiz.admin.key=random-string

BJ Freeman
nope
 with permissions set so that non-ofbiz users can't read it.

though the NTFS has permissions, they are not easily set if the drive
has not been setup for it before.
Most windows drives are set for everyone, which most user don't know,
thinking their login has strong security which it does not. You can
drive a Mac truck through it blind folded.

Most people don't even know what NTSF security is, let alone how to use it.


Adam Heath sent the following on 4/17/2009 6:13 PM:

> BJ Freeman wrote:
>> only works on linux systems
>> does not cover windows servers.
>
> Works everywhere.  The path given on the command line is just read
> from, so whatever system policy is in use for specifing file names
> should just work.
>
> I'm not saying we would nescessarily set it to something, but just
> saying the feature should be added.
>
> See revision 766193.
>
> java -jar ofbiz.jar -Dofbiz.system.props=/path/to/file or "c:\Program
> Files\OfBiz\file" or whatever.
>
>
>
>
Free forum by Nabble Edit this page