[
https://issues.apache.org/jira/browse/GEODE-2146?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15715888#comment-15715888
]
ASF subversion and git services commented on GEODE-2146:
--------------------------------------------------------
Commit f920f55ac2c74a591fa0636fbcc613a42be1b013 in incubator-geode's branch
refs/heads/develop from [~karensmolermiller]
[ https://git-wip-us.apache.org/repos/asf?p=incubator-geode.git;h=f920f55 ]
GEODE-2146 document new privileges req'd for deploy
> function "deploy" only requires DATA:MANAGE privilege, but a malicious user
> can write a function to change the securityManager and then execute anything
> ---------------------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: GEODE-2146
> URL: https://issues.apache.org/jira/browse/GEODE-2146
> Project: Geode
> Issue Type: Improvement
> Components: docs, security
> Reporter: Jinmei Liao
> Assignee: Jinmei Liao
> Fix For: 1.1.0
>
>
> A simple function would do the following:
> SecurityUtils.setSecurityManager(null);
> This would jeopardize all the security checks afterwards and let user do
> pretty much everything.
> We should either sandbox the function execution or have deploy require ALL
> permissions.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
