[GEODE-2146] function "deploy" only requires DATA:MANAGE privilege, but a malicious user can write a function to change the securityManager and then execute anything - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 1.1.0
Component/s: docs, security
Labels:
None

Description

A simple function would do the following:

SecurityUtils.setSecurityManager(null);

This would jeopardize all the security checks afterwards and let user do pretty much everything.

We should either sandbox the function execution or have deploy require ALL permissions.

Attachments

Activity

People

Assignee:: Jinmei Liao

Reporter:: Jinmei Liao

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 29/Nov/16 17:06

Updated:: 09/Feb/17 00:40

Resolved:: 01/Dec/16 17:39