[jira] [Commented] (SOLR-14015) remove blanket filesystem read access from solr-tests.policy

Thu, 05 Dec 2019 12:03:41 -0800 


    [ 
https://issues.apache.org/jira/browse/SOLR-14015?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16989119#comment-16989119
 ] 

Robert Muir commented on SOLR-14015:
------------------------------------

The problem is the hadoop hacks :(

See SOLR-14020 for an explanation. TLDR: we have to override some methods in 
SecurityManager to implement hadoop hacks for security to work at all in solr.

Basically, java security is stack based. different codebases can have different 
permissions. When it checks for a permission, all codebases in the "stacktrace" 
must have permission or it fails.

You can call "doPrivileged" to "truncate the stack" and do something 
"privileged" on behalf of less privileged code. An example would be this sun 
security provider, it does this, then it access /dev/random or whatever.

But now you can see there is *lucene* code in between a bunch of jdk stuff, in 
order to implement the hadoop hacks:
{noformat}
at 
org.apache.lucene.util.TestSecurityManager.checkRead(TestSecurityManager.java:128)
{noformat}

Yes, this means security will be a real nightmare for solr until something is 
done about hadoop.

> remove blanket filesystem read access from solr-tests.policy
> ------------------------------------------------------------
>
>                 Key: SOLR-14015
>                 URL: https://issues.apache.org/jira/browse/SOLR-14015
>             Project: Solr
>          Issue Type: Improvement
>      Security Level: Public(Default Security Level. Issues are Public) 
>            Reporter: Robert Muir
>            Assignee: Robert Muir
>            Priority: Major
>             Fix For: 8.4
>
>         Attachments: SOLR-14015.patch
>
>
> The lucene policy is strict and specifies only specific locations.
> Unfortunately currently the solr policy allows read to ALL FILES
> The tests shouldn't be able to read anywhere, e.g. my .ssh/ directory or 
> whatever.
> It is a necessary painful step to eventually eliminate directory traversal 
> attacks, etc.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org

Reply via email to