[jira] [Commented] (SOLR-16671) Explicitly call out library permissions for config-edit

Sun, 19 Feb 2023 17:35:05 -0800 


    [ 
https://issues.apache.org/jira/browse/SOLR-16671?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17690963#comment-17690963
 ] 

ASF subversion and git services commented on SOLR-16671:
--------------------------------------------------------

Commit c2558e69af16674cafbc060dc6828763e94932e9 in solr's branch 
refs/heads/branch_9_1 from Houston Putman
[ https://gitbox.apache.org/repos/asf?p=solr.git;h=c2558e69af1 ]

SOLR-16671: Explicitly call out library permissions for config-edit (#1370)

(cherry picked from commit d6b8f300711a59230531c855809debb745eb72a8)


> Explicitly call out library permissions for config-edit
> -------------------------------------------------------
>
>                 Key: SOLR-16671
>                 URL: https://issues.apache.org/jira/browse/SOLR-16671
>             Project: Solr
>          Issue Type: Improvement
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: Authorization, documentation, security
>            Reporter: Houston Putman
>            Priority: Major
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> A lot of security questions arise from various options to add custom 
> libraries via a {{{}solrconfig.xml{}}}. When using the recommended solr auth 
> plugin, a user requires the {{config-edit}} permission to edit this file. And 
> custom libraries will only be used when the solrconfig is trusted by Solr.
> Right now the  [config-edit permission 
> documentation|https://solr.apache.org/guide/solr/9_1/deployment-guide/rule-based-authorization-plugin.html#predefined-permissions]
>  does not explicitly spell out that the permission gives users the ability to 
> install any custom library to Solr. We should fix this to reduce confusion 
> around RCEs.
> With our antora docs, I suggest we backport this documentation change to 9.0 
> and 9.1, and also update 8.11 for the next patch release.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to