Hi
Thanks so much for taking the time to participate on this thread, David. It is always good to see you. Although I do understand where you're coming from, I don't think that what you suggest necessarily applies to our case. Nonetheless, it is my fault for not explaining why they need to take this measure.
What our client told us is that a team of developers will have access to the files of the liferay portal once it has been deployed, but only one person should have access to the codes necessary for mail and database connection. For that reason, leaving the contents of portal-ext.properties as plain text would allow all the people with access to the project to see these codes.
As you can see, they are not so worried about an external attack as they are about keeping these codes safe from misusage. I think they are being completely reasonable, albeit a little paranoid as well.
In any case, we would appreciate if you would take a look at what we have come up with:
What do you think about this. Is there anything we might be overlooking?
Thanks so much for taking the time to participate on this thread, David. It is always good to see you. Although I do understand where you're coming from, I don't think that what you suggest necessarily applies to our case. Nonetheless, it is my fault for not explaining why they need to take this measure.
What our client told us is that a team of developers will have access to the files of the liferay portal once it has been deployed, but only one person should have access to the codes necessary for mail and database connection. For that reason, leaving the contents of portal-ext.properties as plain text would allow all the people with access to the project to see these codes.
As you can see, they are not so worried about an external attack as they are about keeping these codes safe from misusage. I think they are being completely reasonable, albeit a little paranoid as well.
In any case, we would appreciate if you would take a look at what we have come up with:
- Create a portal-ext.properties file that will be edited by the person with access to the codes.
- Using the passcode, this person creates a decrypted file and proceeds to safely delete the original file.
- Then they run blade server start.
- The startup.sh will do what it normally does, except that now it will also run a command that will ask for a passcode
- The passcode entered will be used to attempt to decrypt the file. If it fails, the program lets you know that the passcode is incorrect and asks them to try again. Otherwise, a decrypted portal-ext.properties is created and the program runs catalina.sh.
- Once Liferay has started and is running we proceed to safely delete the decrypted file.
What do you think about this. Is there anything we might be overlooking?
Edward A:
What our client told us is that a team of developers will have access to the files of the liferay portal once it has been deployed, but only one person should have access to the codes necessary for mail and database connection. For that reason, leaving the contents of portal-ext.properties as plain text would allow all the people with access to the project to see these codes.
Hey, Edward. For security purposes, I wouldn't use portal-ext.properties anyway. The properties are always visible to code running int the portal. Most properties are visible within the control panel on the systems admin page, there's a tab for properties where you can see them. Now Liferay does support marking some as "protected" so the control panel will only show the chars as "*", but that's far from secure. You can get to the script control panel and print them using a good old groovy script.
When I say JNDI, I usually put those settings into tomcat's conf/Catalina/localhost/ROOT.xml file. You set the permissions on this file so only the tomcat process can read the file, no one else.
There is no reason that the developers would need any kind of access to the conf directory anyway.
As you can see, they are not so worried about an external attack as they are about keeping these codes safe from misusage. I think they are being completely reasonable, albeit a little paranoid as well.
Well, I'd say it is a lot paranoid. If you don't trust your developers, you have a real problem. After all, they can do a lot of damage and misuse even without the database credentials.
What do you think about this. Is there anything we might be overlooking?
Liferay can take some time to start up. If I'm that evil developer, I'd be sitting there waiting for you to try to start the process so I can cat the properties while Liferay is starting up.
Being password based, you won't be able to auto-start tomcat when the system restarts.
Liferay uses Easyconf for the properties file handling. I only mention it because you can configure Easyconf to "watch" the file for changes. This is not enabled by default, but if you are using that feature, deleting the file after startup could have adverse effects. It is possible that other parts of Liferay "watch" this file, but nothing springs to mind...
I don't get the paranoia over the DB though. It shouldn't be a production database, because you never develop against the prod assets as it is too easy for untested code to break things. So that means there is a development database but that too the developers shouldn't have access to? As a developer, DB access can be necessary to test out SQL, service builder code, etc.
So basically your list will work, but it is far from foolproof...
Come meet me at Devcon 2017 or 2017 LSNA!
