> On Jun 17, 2019, at 1:17 PM, Shawn Heisey <apa...@elyograg.org> wrote:
>
>> Ideally I’d like Solr/Jetty to be able to white-list any connection from a
>> root-owned socket.
>
> Solr typically runs as a non-privileged user. If the start script detects
> that it's running as root, it will refuse to start without an option to force
> it. We strongly recommend not running as root. About the only legitimate
> reason to run as root is to bind to a port number below 1025... and that is
> discouraged because Solr should never be accessible by the open Internet.
Solr wouldn’t need to run as root; the process just needs to determine whom
it’s talking to, which the kernel can answer regardless of the server’s
privilege level.
I’m new to Java, but the jnr.unixsocket library--which Jetty uses for its UNIX
socket logic--does provide this information:
https://github.com/jnr/jnr-unixsocket/blob/master/src/main/java/jnr/unixsocket/UnixSocket.java
On the Solr side, then, would it be a matter of creating a new plugin as an
alternative to BasicAuthPlugin that manipulates whatever control Jetty exposes
(or would need to be altered to expose) that exposes the socket credentials
from jnr.unixsocket?
-FG
