Move sensitive information out of Synchrony JVM arguments

Type atlassian
Reporter jbentrup
Modified 2019-12-10T05:18:57


h3. Issue

Running Synchrony as a stand-alone service for data center instances exposes sensitive information such as the database username/password, and public/private keys. These are all passed as JVM arguments. This means anyone with command-line access to the server can see this information via a {{ps}} command.   h3. To Reproduce # Set up Synchrony as a stand-alone service # Start Synchrony # Run {{ps -ef | grep synchrony}} # Results:

{code:java} synchro+  1707     1 89 18:19 ?        00:00:08 java -Xms2048k -Xmx1024m -classpath /opt/atlassian/synchrony/synchrony-standalone.jar:/opt/atlassian/synchrony/postgresql-42.1.1.jar -Dsynchrony.cluster.impl=hazelcast-btf -Dsynchrony.port=8091 -Dcluster.listen.port=5701 -Dsynchrony.cluster.base.port=25500 -Dcluster.join.type=tcpip -Dcluster.join.tcpip.members= -Dsynchrony.context.path=/synchrony -Dsynchrony.cluster.bind= -Dsynchrony.bind= -Dcluster.interfaces= -Dsynchrony.service.url= -Dreza.service.url= -Djwt.private.key=<PRIVATE_KEY_HERE> -Djwt.public.key=<PUBLIC_KEY_HERE> Dsynchrony.database.url=jdbc:postgresql:// -Dsynchrony.database.username=<DATABASE_USERNAME_HERE> -Dsynchrony.database.password=<DATABASE_PASSWORD_HERE> -Dip.whitelist=,localhost synchrony.core sql jason     1728  1674  0 18:19 pts/0    00:00:00 grep --color=auto synchrony{code} h3. Suggestion

Make Synchrony read this information from a file that can be locked to only be readable by the user running Synchrony.  This could be a copy of {{confluence.cfg.xml}} or a new file. h3. Workaround

Prevent unnecessary users from having shell access to the box on which Synchrony is running; i.e. deny logon by disabling or removing unneeded users from the synchrony system. Also, for Linux systems running a kernel version newer than 3.3 you can mount /proc with hidepid=1 or 2, more information on doing this can be found at [] .