Jinmei Liao created GEODE-2146:
----------------------------------
Summary: function "deploy" only requires DATA:WRITE privilege, but
a malicious user can write a function to change the securityManager and then
execute anything
Key: GEODE-2146
URL: https://issues.apache.org/jira/browse/GEODE-2146
Project: Geode
Issue Type: Improvement
Components: security
Reporter: Jinmei Liao
A simple function would do the following:
SecurityUtils.setSecurityManager(null);
This would jeopardize all the security checks afterwards and let user do pretty
much everything.
We should either sandbox the function execution or have deploy require ALL
permissions.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
