Hi Chris,
Yes, adding a doPriv for setDaemon and setName in a couple of places
makes sense.
Thanks, Roger
On 11/22/22 11:12 AM, Chris Hegarty wrote:
Hi Alan,
On 22/11/2022 16:08, Alan Bateman wrote:
On 22/11/2022 15:21, Chris Hegarty wrote:
..
Just to double check, does the ES security manager override
checkAccess(Thread)?
Yes. :-(
That is usually a no-op but if overridden then it will expose an
issue with the thread factory for the "process reaper" where it
attempts changes the daemon status outside of a doPriv block.
Right. That's exactly what we're running into.
If there are no objections, then I'm happy to file an issue
and PR to add narrow doPriv blocks around these calls.
-Chris
[1]
https://github.com/elastic/elasticsearch/blob/main/libs/secure-sm/src/main/java/org/elasticsearch/secure_sm/SecureSM.java#L118