ASF subversion and git services commented on GEODE-2146:

Commit 4f67348dc974867e4b68b8b0e9467c97311e6ede in incubator-geode's branch 
refs/heads/develop from [~jinmeiliao]
[ https://git-wip-us.apache.org/repos/asf?p=incubator-geode.git;h=4f67348 ]

GEODE-2146: deploy should require more elevated privileges than just data:manage

> function "deploy" only requires DATA:MANAGE privilege, but a malicious user 
> can write a function to change the securityManager and then execute anything 
> ---------------------------------------------------------------------------------------------------------------------------------------------------------
>                 Key: GEODE-2146
>                 URL: https://issues.apache.org/jira/browse/GEODE-2146
>             Project: Geode
>          Issue Type: Improvement
>          Components: docs, security
>            Reporter: Jinmei Liao
> A simple function would do the following:
> SecurityUtils.setSecurityManager(null);
> This would jeopardize all the security checks afterwards and let user do 
> pretty much everything.
> We should either sandbox the function execution or have deploy require ALL 
> permissions.  

This message was sent by Atlassian JIRA

Reply via email to