cassandra-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Stupp (JIRA)" <>
Subject [jira] [Commented] (CASSANDRA-9402) Implement proper sandboxing for UDFs
Date Thu, 09 Jul 2015 06:09:05 GMT


Robert Stupp commented on CASSANDRA-9402:

bq. [restricted set of classes] necessary given that we're already restricting the Permissions?

Unfortunately yes. One example is creating a new thread: Although there is a permission to
prevent a new thread being started, the actual check only works from the root thread group
(e.g. from thread {{main}}, see {{java.lang.SecurityManager.checkAccess(ThreadGroup)}} and
{{checkAccess(Thread)}}, which say: {{if (g == rootGroup) checkPermission(SecurityConstants.MODIFY_THREADGROUP_PERMISSION);
else // just return}}) - so you can create and start a new thread from any other thread group
- irrespectively how restrictive the actual permission set is (e.g. no permissions). That's
a quite annoying thing in Java and was a surprising behavior (for me).

> Implement proper sandboxing for UDFs
> ------------------------------------
>                 Key: CASSANDRA-9402
>                 URL:
>             Project: Cassandra
>          Issue Type: Task
>            Reporter: T Jake Luciani
>            Assignee: Robert Stupp
>            Priority: Critical
>              Labels: docs-impacting, security
>             Fix For: 3.0 beta 1
>         Attachments: 9402-warning.txt
> We want to avoid a security exploit for our users.  We need to make sure we ship 2.2
UDFs with good defaults so someone exposing it to the internet accidentally doesn't open themselves
up to having arbitrary code run.

This message was sent by Atlassian JIRA

View raw message