Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-13984

Solr should run inside a SecurityManager

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • 8.5
    • None
    • None

    Description

      To reduce the effect of attacks, esp. RCE, Solr should run inside a SecurityManager.

      Quoting Uwe here:

      The correct way to fix all issues we have seen the last time is very simple: LET'S RUN SOLR INSIDE A SECURITY MANAGER IN PRODUCTION (like in tests). Elasticsearch is doing this, so please please let's do this instead. But this requires to finally get rid of the webapplication and start.jar and add our own bootstrapping (like in tests) that configure Jetty and Security Manager from our own org.apache.solr.bootstrap.Main.java (or similar).

      https://jira.apache.org/jira/browse/SOLR-12316?focusedCommentId=16465038&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-16465038

      Attachments

        Issue Links

          is blocked by

          Improvement - An improvement or enhancement to an existing feature or task. SOLR-13986 remove "execute" permission from solr-tests.policy

          • Major - Major loss of function.
          • Closed
          links to

          Web Link GitHub Pull Request #1082

          Activity

            People

              rcmuir Robert Muir
              ichattopadhyaya Ishan Chattopadhyaya
              Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 3.5h
                  3.5h