[jira] [Commented] (SOLR-13984) Solr should run inside a SecurityManager

Wed, 04 Dec 2019 20:51:11 -0800 


    [ 
https://issues.apache.org/jira/browse/SOLR-13984?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16988463#comment-16988463
 ] 

Robert Muir commented on SOLR-13984:
------------------------------------

The current state is still wrestling with tests. it must be done as a 
prerequisite for anything else

Test only changes are the best: I've been backporting all of them. So for 
example, if you want to make security manager "opt in" for some current 8.x 
minor release, you can do it, and then flick the default switch in the next 
major release or something like that.

The idea here is to just have a simple flat security model, treat all solr code 
as the same (core or contrib or whatever). It is the best way to start, given 
no previous security at all. minimizes security-related code.

It is really hard to keep it very simple when the project is doing very complex 
insecure things such as hdfs and running scripts remotely.... I am trying to 
make progress.

> Solr should run inside a SecurityManager
> ----------------------------------------
>
>                 Key: SOLR-13984
>                 URL: https://issues.apache.org/jira/browse/SOLR-13984
>             Project: Solr
>          Issue Type: Improvement
>      Security Level: Public(Default Security Level. Issues are Public) 
>            Reporter: Ishan Chattopadhyaya
>            Priority: Major
>
> To reduce the effect of attacks, esp. RCE, Solr should run inside a 
> SecurityManager.
> Quoting Uwe here:
> {quote}
> The correct way to fix all issues we have seen the last time is very simple: 
> LET'S RUN SOLR INSIDE A SECURITY MANAGER IN PRODUCTION (like in tests). 
> Elasticsearch is doing this, so please please let's do this instead. But this 
> requires to finally get rid of the webapplication and start.jar and add our 
> own bootstrapping (like in tests) that configure Jetty and Security Manager 
> from our own org.apache.solr.bootstrap.Main.java (or similar).
> {quote}
> https://jira.apache.org/jira/browse/SOLR-12316?focusedCommentId=16465038&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-16465038



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org

Reply via email to