lucene-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Muir (Jira)" <j...@apache.org>
Subject [jira] [Commented] (SOLR-13984) Solr should run inside a SecurityManager
Date Mon, 02 Dec 2019 11:21:00 GMT

    [ https://issues.apache.org/jira/browse/SOLR-13984?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16985976#comment-16985976
] 

Robert Muir commented on SOLR-13984:
------------------------------------

{quote}
But this requires to finally get rid of the webapplication and start.jar and add our own bootstrapping
(like in tests) that configure Jetty and Security Manager from our own org.apache.solr.bootstrap.Main.java
(or similar).
{quote}

I'm hoping to avoid changing how the app starts for this issue. Currently tests have no special
bootstrapping code, its all done via JVM system properties. I am looking at a similar approach
for this issue.

> Solr should run inside a SecurityManager
> ----------------------------------------
>
>                 Key: SOLR-13984
>                 URL: https://issues.apache.org/jira/browse/SOLR-13984
>             Project: Solr
>          Issue Type: Improvement
>      Security Level: Public(Default Security Level. Issues are Public) 
>            Reporter: Ishan Chattopadhyaya
>            Priority: Major
>
> To reduce the effect of attacks, esp. RCE, Solr should run inside a SecurityManager.
> Quoting Uwe here:
> {quote}
> The correct way to fix all issues we have seen the last time is very simple: LET'S RUN
SOLR INSIDE A SECURITY MANAGER IN PRODUCTION (like in tests). Elasticsearch is doing this,
so please please let's do this instead. But this requires to finally get rid of the webapplication
and start.jar and add our own bootstrapping (like in tests) that configure Jetty and Security
Manager from our own org.apache.solr.bootstrap.Main.java (or similar).
> {quote}
> https://jira.apache.org/jira/browse/SOLR-12316?focusedCommentId=16465038&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-16465038



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org


Mime
View raw message