[
https://issues.apache.org/jira/browse/NIFI-9937?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17524536#comment-17524536
]
David Handermann commented on NIFI-9937:
----------------------------------------
Thanks for describing this issue [~msr1716].
NiFi supports the concept of [Restricted
Components|https://nifi.apache.org/docs/nifi-docs/html/user-guide.html#Restricted_Components_in_Versioned_Flows],
which allow an administrator to limit access to components that are capable of
certain activities, such as accessing the filesystem.
Several other components have the same types of issues described for
{{GetFile}}. For instance, the {{ExecuteStreamCommand}} processor can run
commands as the NiFi user, potentially impacting the behavior of NiFi itself.
Other processors that support custom scripts or alternative languages also
provide the ability to influence the behavior of NiFi itself.
The Java [Security
Manager|https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/lang/SecurityManager.html]
provides the ability to prevent certain types of behavior, such as changing
System properties, accessing files, or opening sockets. However, Java 17
deprecated the SecurityManager for removal in future versions. At this time,
there does not appear to be a clear alternative, but something along that line
seems like it would provide a the best approach to protecting NiFi from
dangerous component settings.
With the ability to support custom extensions, attempting to solve this problem
for a particular component does not address the broader concern.
In light of the fact that NiFi isolates component class-loading, other
strategies such as runtime method interception and evaluation might be an
option. A robust solution would not be trivial, and may have performance
implications, articulating the general goals would be helpful in evaluating
potential issues and resolutions.
> Prevent NiFi From Deleting Its Own Configuration Files
> ------------------------------------------------------
>
> Key: NIFI-9937
> URL: https://issues.apache.org/jira/browse/NIFI-9937
> Project: Apache NiFi
> Issue Type: Improvement
> Affects Versions: 1.16.0, 1.15.3, 1.16.1
> Environment: Linux and Windows
> Reporter: Mike R
> Priority: Major
>
> There should be a way for NiFi to be unable to delete the files in the .conf
> directory using the GetFile Processor.
> This is meant as a way to prevent unintended deletion of the files in the
> directory by administrators and prevent attackers from using the GetFile
> processor to delete files in the directory.
> One way to do this would be accomplished is by changing the GetFile Processor
> to not delete any file from the .conf directory, regardless of the user
> selection. Another way is to change the permissions of the directory. Any
> solutions are welcome, but this should be resolved.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
