[jira] [Commented] (SOLR-13986) remove "execute" permission from solr-tests.policy

[Robert Muir (Jira)]

    [ 
https://issues.apache.org/jira/browse/SOLR-13986?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16985608#comment-16985608
 ] 

Robert Muir commented on SOLR-13986:
------------------------------------

I worked my way thru all the slow/nightly tests with the current patch until 
everything was happy. the holes we have to punch for hadoop aren't pretty, but 
there really aren't many alternatives:
* can't just grant execute to hadoop JAR only because it doesn't use 
doPriviledged or anything like that.
* can't just whitelist certain executables because in most cases hadoop uses an 
unqualified path (e.g. $PATH), so it requires <<ALL FILES>>
* can't just whitelist hadoop Shell stuff because it would just be a different 
vector for RCE (e.g. attacker use Shell instead of ProcessBuilder)

So I only punched very specific holes to try to minimize risks, while keeping 
hadoop stuff still working. Still, its not good that these holes are needed for 
all solr users whether they use hadoop or not, so SOLR-13989 is a good one to 
solve.

I can't promise no test will fail with this patch (I only ran tests over and 
over on mac), but I think its a good step. We can let jenkins do its thing, if 
there are terribly surprises we can revert the commit until they are figured 
out.

> remove "execute" permission from solr-tests.policy
> --------------------------------------------------
>
>                 Key: SOLR-13986
>                 URL: https://issues.apache.org/jira/browse/SOLR-13986
>             Project: Solr
>          Issue Type: Improvement
>      Security Level: Public(Default Security Level. Issues are Public) 
>            Reporter: Robert Muir
>            Priority: Major
>         Attachments: SOLR-13986-notyet.patch, SOLR-13986.patch, 
> SOLR-13986.patch, SOLR-13986.patch, SOLR-13986.patch
>
>
> If we don't really need to execute processes, we can take the permission 
> away. That way any attempt to execute something results in a 
> SecurityException rather than running a process.
> It is necessary to first fix the tests policy before thinking about 
> supporting securitymanager in solr. This way we can ensure functionality does 
> not break via our tests.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org