Re: [DISCUSS] Shell interpreter
Hello, Thank you for your opinion. Almost all opinions show that we'd better keep Shell interpreter. Following Apache rule, I'll make a vote in two days. Please leave your various opinions. Best regards, Jongyoul Lee 2024년 4월 15일 (월) 오후 6:59, Danny Cranmer 님이 작성: > +1 for keeping the interpreter. It poses no additional security risk to any > interpreter that runs arbitrary code. For instance, it is equivalent to > running Python subprocess commands (unless I am missing something). > > Thanks, > Danny > > On Mon, Apr 15, 2024 at 9:57 AM Cheng Pan wrote: > > > I think the real issue here is that the user is logged in with a normal > > account, but runs a shell script using the system account, which is an > > escalation of privileges. > > > > Considering the feature has existed for a long period, and the user knows > > the behavior, it’s good to reserve it as long as there is a clear > > disclaimer in the docs. > > > > I’m +0.5 for keeping it. > > > > Thanks, > > Cheng Pan > > > > > > > On Apr 13, 2024, at 16:04, Manhua Jiang wrote: > > > > > > Hi All, > > > > > > I would like to vote keeping it. > > > Zeppelin offers a way to run script without log in server, and > > interpreter's permission is controlled. > > > For the CVE, zeppelin should not make a lot effort to validate whether > > user's code is safety or not(not only shell, but also all coding > > interpreter like python,java,scala etc.), but try our best to keep it > safe, > > so offering a server configuration to switch on/off(default to off) > shell > > interpreter to end-user should enough for those care about this CVE. > > > > > > BTW, share 2 ideas to avoid secure problem: > > > 1. limited commands like HDFSFileInterpreter > > > 2. shell interpreter add options to runAs a lower privilege user on > > demand , and zeppelin needs to be launched by sudoer > > > > > > > > > On 2024/04/11 09:39:56 Jongyoul Lee wrote: > > >> Hello, > > >> > > >> I want to discuss Shell interpreter issue with you. > > >> > > >> For your information, we had a security report using Shell interpreter > > to > > >> execute malicious code with a system account. As you know, it's a kind > > of > > >> characteristic of Apache Zeppelin but some contributors including me > > >> thought it was too risky even if it's a feature. Moreover, I thought > > that > > >> we had some workarounds to do similar executions. > > >> > > >> However, after releasing it, there were many questions via several > > channels > > >> about the deprecation of Shell interpreter. > > >> > > >> I would like to follow the community's decision. For one more piece of > > >> information, we already have a security page to warn the code > execution > > >> feature so we can keep the Shell interpreter without any further > > treatment. > > >> > > >> Could you please give me your opinion on this? > > >> > > >> If we conclude keeping it, I'll release a new release of 0.11.2 > > including > > >> Shell interpreter again. > > >> > > >> Best regards, > > >> Jongyoul Lee > > >> > > > > > -- Best regards, Jongyoul Lee
Re: [DISCUSS] Shell interpreter
+1 for keeping the interpreter. It poses no additional security risk to any interpreter that runs arbitrary code. For instance, it is equivalent to running Python subprocess commands (unless I am missing something). Thanks, Danny On Mon, Apr 15, 2024 at 9:57 AM Cheng Pan wrote: > I think the real issue here is that the user is logged in with a normal > account, but runs a shell script using the system account, which is an > escalation of privileges. > > Considering the feature has existed for a long period, and the user knows > the behavior, it’s good to reserve it as long as there is a clear > disclaimer in the docs. > > I’m +0.5 for keeping it. > > Thanks, > Cheng Pan > > > > On Apr 13, 2024, at 16:04, Manhua Jiang wrote: > > > > Hi All, > > > > I would like to vote keeping it. > > Zeppelin offers a way to run script without log in server, and > interpreter's permission is controlled. > > For the CVE, zeppelin should not make a lot effort to validate whether > user's code is safety or not(not only shell, but also all coding > interpreter like python,java,scala etc.), but try our best to keep it safe, > so offering a server configuration to switch on/off(default to off) shell > interpreter to end-user should enough for those care about this CVE. > > > > BTW, share 2 ideas to avoid secure problem: > > 1. limited commands like HDFSFileInterpreter > > 2. shell interpreter add options to runAs a lower privilege user on > demand , and zeppelin needs to be launched by sudoer > > > > > > On 2024/04/11 09:39:56 Jongyoul Lee wrote: > >> Hello, > >> > >> I want to discuss Shell interpreter issue with you. > >> > >> For your information, we had a security report using Shell interpreter > to > >> execute malicious code with a system account. As you know, it's a kind > of > >> characteristic of Apache Zeppelin but some contributors including me > >> thought it was too risky even if it's a feature. Moreover, I thought > that > >> we had some workarounds to do similar executions. > >> > >> However, after releasing it, there were many questions via several > channels > >> about the deprecation of Shell interpreter. > >> > >> I would like to follow the community's decision. For one more piece of > >> information, we already have a security page to warn the code execution > >> feature so we can keep the Shell interpreter without any further > treatment. > >> > >> Could you please give me your opinion on this? > >> > >> If we conclude keeping it, I'll release a new release of 0.11.2 > including > >> Shell interpreter again. > >> > >> Best regards, > >> Jongyoul Lee > >> > >
Re: [DISCUSS] Shell interpreter
I think the real issue here is that the user is logged in with a normal account, but runs a shell script using the system account, which is an escalation of privileges. Considering the feature has existed for a long period, and the user knows the behavior, it’s good to reserve it as long as there is a clear disclaimer in the docs. I’m +0.5 for keeping it. Thanks, Cheng Pan > On Apr 13, 2024, at 16:04, Manhua Jiang wrote: > > Hi All, > > I would like to vote keeping it. > Zeppelin offers a way to run script without log in server, and interpreter's > permission is controlled. > For the CVE, zeppelin should not make a lot effort to validate whether user's > code is safety or not(not only shell, but also all coding interpreter like > python,java,scala etc.), but try our best to keep it safe, so offering a > server configuration to switch on/off(default to off) shell interpreter to > end-user should enough for those care about this CVE. > > BTW, share 2 ideas to avoid secure problem: > 1. limited commands like HDFSFileInterpreter > 2. shell interpreter add options to runAs a lower privilege user on demand , > and zeppelin needs to be launched by sudoer > > > On 2024/04/11 09:39:56 Jongyoul Lee wrote: >> Hello, >> >> I want to discuss Shell interpreter issue with you. >> >> For your information, we had a security report using Shell interpreter to >> execute malicious code with a system account. As you know, it's a kind of >> characteristic of Apache Zeppelin but some contributors including me >> thought it was too risky even if it's a feature. Moreover, I thought that >> we had some workarounds to do similar executions. >> >> However, after releasing it, there were many questions via several channels >> about the deprecation of Shell interpreter. >> >> I would like to follow the community's decision. For one more piece of >> information, we already have a security page to warn the code execution >> feature so we can keep the Shell interpreter without any further treatment. >> >> Could you please give me your opinion on this? >> >> If we conclude keeping it, I'll release a new release of 0.11.2 including >> Shell interpreter again. >> >> Best regards, >> Jongyoul Lee >>
Re: [DISCUSS] Shell interpreter
Hi All, I would like to vote keeping it. Zeppelin offers a way to run script without log in server, and interpreter's permission is controlled. For the CVE, zeppelin should not make a lot effort to validate whether user's code is safety or not(not only shell, but also all coding interpreter like python,java,scala etc.), but try our best to keep it safe, so offering a server configuration to switch on/off(default to off) shell interpreter to end-user should enough for those care about this CVE. BTW, share 2 ideas to avoid secure problem: 1. limited commands like HDFSFileInterpreter 2. shell interpreter add options to runAs a lower privilege user on demand , and zeppelin needs to be launched by sudoer On 2024/04/11 09:39:56 Jongyoul Lee wrote: > Hello, > > I want to discuss Shell interpreter issue with you. > > For your information, we had a security report using Shell interpreter to > execute malicious code with a system account. As you know, it's a kind of > characteristic of Apache Zeppelin but some contributors including me > thought it was too risky even if it's a feature. Moreover, I thought that > we had some workarounds to do similar executions. > > However, after releasing it, there were many questions via several channels > about the deprecation of Shell interpreter. > > I would like to follow the community's decision. For one more piece of > information, we already have a security page to warn the code execution > feature so we can keep the Shell interpreter without any further treatment. > > Could you please give me your opinion on this? > > If we conclude keeping it, I'll release a new release of 0.11.2 including > Shell interpreter again. > > Best regards, > Jongyoul Lee >
Re: [DISCUSS] Shell interpreter
Hello, I went back and re-read the mailing list summary of CVE-2024-31861 before composing this message, and I still don't quite grasp what the reporter/finder of the alleged vulnerability thinks they found. I followed the links to the NVD at NIST, and didn't find any more substantive information from the reporter. The CVE says that the Shell interpreter can be used as "a code generation gateway", but doesn't say that the Shell interpreter does anything that enables privilege escalation for any generated code. Heck, Visual Studio Code allows a programmer to launch a terminal/shell from within that editor, is that the same thing as "a code generation gateway"? If we took the assertions here at face value, I think it would be extraordinarily difficult to write a shell interpreter that could address the implicit claims made about "Improper Control of Generation of Code" while still providing the necessary functionality. I guess I'm saying it would have been great to get more information from the originating reporter of the alleged vulnerability. In the absence of more information about what proper control of the code generation would constitute, I agree with Michiel that we should update the documentation and republish the shell interpreter. Bill On Thu, Apr 11, 2024 at 2:40 AM Jongyoul Lee wrote: > Hello, > > I want to discuss Shell interpreter issue with you. > > For your information, we had a security report using Shell interpreter to > execute malicious code with a system account. As you know, it's a kind of > characteristic of Apache Zeppelin but some contributors including me > thought it was too risky even if it's a feature. Moreover, I thought that > we had some workarounds to do similar executions. > > However, after releasing it, there were many questions via several > channels about the deprecation of Shell interpreter. > > I would like to follow the community's decision. For one more piece of > information, we already have a security page to warn the code execution > feature so we can keep the Shell interpreter without any further treatment. > > Could you please give me your opinion on this? > > If we conclude keeping it, I'll release a new release of 0.11.2 including > Shell interpreter again. > > Best regards, > Jongyoul Lee >
[DISCUSS] Shell interpreter
Hello, I want to discuss Shell interpreter issue with you. For your information, we had a security report using Shell interpreter to execute malicious code with a system account. As you know, it's a kind of characteristic of Apache Zeppelin but some contributors including me thought it was too risky even if it's a feature. Moreover, I thought that we had some workarounds to do similar executions. However, after releasing it, there were many questions via several channels about the deprecation of Shell interpreter. I would like to follow the community's decision. For one more piece of information, we already have a security page to warn the code execution feature so we can keep the Shell interpreter without any further treatment. Could you please give me your opinion on this? If we conclude keeping it, I'll release a new release of 0.11.2 including Shell interpreter again. Best regards, Jongyoul Lee