[ https://issues.apache.org/jira/browse/GEODE-2146?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Hitesh Khamesra closed GEODE-2146. ---------------------------------- > function "deploy" only requires DATA:MANAGE privilege, but a malicious user > can write a function to change the securityManager and then execute anything > --------------------------------------------------------------------------------------------------------------------------------------------------------- > > Key: GEODE-2146 > URL: https://issues.apache.org/jira/browse/GEODE-2146 > Project: Geode > Issue Type: Improvement > Components: docs, security > Reporter: Jinmei Liao > Assignee: Jinmei Liao > Fix For: 1.1.0 > > > A simple function would do the following: > SecurityUtils.setSecurityManager(null); > This would jeopardize all the security checks afterwards and let user do > pretty much everything. > We should either sandbox the function execution or have deploy require ALL > permissions. -- This message was sent by Atlassian JIRA (v6.3.15#6346)