JIRA Standalone – Major Vulnerability

JIRA Standalone runs, by default, as the user that starts the process on Linux. Running tomcat as root is generally a Bad Idea. Therefore, if you run JIRA as a service by adding a script under /etc/init.d and calling /etc/init.d/jira start … it’ll be running as root.

I opened a ticket with JIRA support several weeks ago pointing this out, and the only result has been adding one line of documentation that tells you how to add a user. This is not the best solution. Their solution would create a privileged user with a shell — you want to avoid this. Also, they don’t say anything about running JIRA as a service under init.d.

After the fold, there’s my init.d script for OpenSUSE 10.3. Gotta love JIRA, it’s more flexible than any other project management tool out there, but Atlassian apparently is not a company with a great deal of understanding of Linux.

This script will run JIRA as the tomcat user. After placing it in /etc/init.d/, run

chkconfig jira on

to start JIRA when you start the system.

#!/bin/bash

# Copyright (c) 2006 SUSE Linux Products GmbH
#
# /srv/jira/ -- Starts tomcat/catalina
#
### BEGIN INIT INFO
# Provides: jira
# Required-Start: $remote_fs $syslog $network
# Required-Stop:  $remote_fs $syslog
# Default-Start:  3 5
# Default-Stop:   0 1 2 6
# Short-Description: JIRA Task Management Standalone
# Description:       Start JIRA web services
### END INIT INFO

. /etc/rc.status

rc_reset

case "$1" in
        start)
                echo -n "Starting JIRA "
                su - tomcat /srv/jira/bin/startup.sh

                rc_status -v
                ;;
        stop)
                echo -n "Shutting down JIRA "
                su - tomcat /srv/jira/bin/shutdown.sh

                rc_status -v
                ;;
        restart)
                $0 stop
                $0 start
                ;;
        *)
                echo "Usage: $0 {start|stop}"
                exit 1
esac
rc_exit