[ 
https://issues.apache.org/jira/browse/SOLR-13984?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16985411#comment-16985411
 ] 

Robert Muir commented on SOLR-13984:
------------------------------------

Hi Ishan: what do you think about narrowing the scope of this first issue to 
disabling process execution (e.g. RCE). I think this may be challenging enough.

Implementing this "fully", to do things like protect filesystem access to 
defend against other attacks like directory traversal, will likely involve 
major changes. For example if users can do HTTP requests that spin up new cores 
on arbitrary filesystem locations, and that model must be supported, then its 
impossible to really limit filesystem access. And if components try to allow 
arbitrary execution of scripts or similar, it gets heavy.

Essentially to secure the application, it is more than just adding some 
'sandbox feature', usually code has to be refactored around principle of least 
priv and code with security issues has to be fixed. SOLR-13982 is a good 
example of this: browser's 'sandbox feature' is not fully effective until we 
actually fix the underlying code to be more secure.

But I think we should special case RCE: disable process execution and try to 
make it impossible as a first step.

> Solr should run inside a SecurityManager
> ----------------------------------------
>
>                 Key: SOLR-13984
>                 URL: https://issues.apache.org/jira/browse/SOLR-13984
>             Project: Solr
>          Issue Type: Improvement
>      Security Level: Public(Default Security Level. Issues are Public) 
>            Reporter: Ishan Chattopadhyaya
>            Priority: Major
>
> To reduce the effect of attacks, esp. RCE, Solr should run inside a 
> SecurityManager.
> Quoting Uwe here:
> {quote}
> The correct way to fix all issues we have seen the last time is very simple: 
> LET'S RUN SOLR INSIDE A SECURITY MANAGER IN PRODUCTION (like in tests). 
> Elasticsearch is doing this, so please please let's do this instead. But this 
> requires to finally get rid of the webapplication and start.jar and add our 
> own bootstrapping (like in tests) that configure Jetty and Security Manager 
> from our own org.apache.solr.bootstrap.Main.java (or similar).
> {quote}
> https://jira.apache.org/jira/browse/SOLR-12316?focusedCommentId=16465038&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-16465038



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org

Reply via email to