I think the real issue here is that the user is logged in with a normal account, but runs a shell script using the system account, which is an escalation of privileges.
Considering the feature has existed for a long period, and the user knows the behavior, it’s good to reserve it as long as there is a clear disclaimer in the docs. I’m +0.5 for keeping it. Thanks, Cheng Pan > On Apr 13, 2024, at 16:04, Manhua Jiang <man...@apache.org> wrote: > > Hi All, > > I would like to vote keeping it. > Zeppelin offers a way to run script without log in server, and interpreter's > permission is controlled. > For the CVE, zeppelin should not make a lot effort to validate whether user's > code is safety or not(not only shell, but also all coding interpreter like > python,java,scala etc.), but try our best to keep it safe, so offering a > server configuration to switch on/off(default to off) shell interpreter to > end-user should enough for those care about this CVE. > > BTW, share 2 ideas to avoid secure problem: > 1. limited commands like HDFSFileInterpreter > 2. shell interpreter add options to runAs a lower privilege user on demand , > and zeppelin needs to be launched by sudoer > > > On 2024/04/11 09:39:56 Jongyoul Lee wrote: >> Hello, >> >> I want to discuss Shell interpreter issue with you. >> >> For your information, we had a security report using Shell interpreter to >> execute malicious code with a system account. As you know, it's a kind of >> characteristic of Apache Zeppelin but some contributors including me >> thought it was too risky even if it's a feature. Moreover, I thought that >> we had some workarounds to do similar executions. >> >> However, after releasing it, there were many questions via several channels >> about the deprecation of Shell interpreter. >> >> I would like to follow the community's decision. For one more piece of >> information, we already have a security page to warn the code execution >> feature so we can keep the Shell interpreter without any further treatment. >> >> Could you please give me your opinion on this? >> >> If we conclude keeping it, I'll release a new release of 0.11.2 including >> Shell interpreter again. >> >> Best regards, >> Jongyoul Lee >>
