[ 
https://issues.apache.org/jira/browse/SOLR-13984?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17002862#comment-17002862
 ] 

ASF subversion and git services commented on SOLR-13984:
--------------------------------------------------------

Commit 126d6b77679102db775a0b241501fe8ce0d8eb9d in lucene-solr's branch 
refs/heads/master from Robert Muir
[ https://gitbox.apache.org/repos/asf?p=lucene-solr.git;h=126d6b7 ]

SOLR-13984: add (experimental, disabled by default) security manager support 
(#1082)

* SOLR-13984: add (experimental, disabled by default) security manager support.

User can set SOLR_SECURITY_MANAGER_ENABLED=true to enable security manager at 
runtime.

The current policy file used by tests is moved to solr/server
Additional permissions are granted for the filesystem locations set by 
bin/solr, and networking everywhere is enabled.

This takes advantage of the fact that permission entries are ignored if 
properties are not defined:
https://docs.oracle.com/javase/7/docs/technotes/guides/security/PolicyFiles.html#PropertyExp



> Solr should run inside a SecurityManager
> ----------------------------------------
>
>                 Key: SOLR-13984
>                 URL: https://issues.apache.org/jira/browse/SOLR-13984
>             Project: Solr
>          Issue Type: Improvement
>      Security Level: Public(Default Security Level. Issues are Public) 
>            Reporter: Ishan Chattopadhyaya
>            Priority: Major
>          Time Spent: 3.5h
>  Remaining Estimate: 0h
>
> To reduce the effect of attacks, esp. RCE, Solr should run inside a 
> SecurityManager.
> Quoting Uwe here:
> {quote}
> The correct way to fix all issues we have seen the last time is very simple: 
> LET'S RUN SOLR INSIDE A SECURITY MANAGER IN PRODUCTION (like in tests). 
> Elasticsearch is doing this, so please please let's do this instead. But this 
> requires to finally get rid of the webapplication and start.jar and add our 
> own bootstrapping (like in tests) that configure Jetty and Security Manager 
> from our own org.apache.solr.bootstrap.Main.java (or similar).
> {quote}
> https://jira.apache.org/jira/browse/SOLR-12316?focusedCommentId=16465038&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-16465038



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org

Reply via email to