[
https://issues.apache.org/jira/browse/SOLR-16671?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Houston Putman updated SOLR-16671:
----------------------------------
Description:
A lot of security questions arise from various options to add custom libraries
via a {{{}solrconfig.xml{}}}. When using the recommended solr auth plugin, a
user requires the {{config-edit}} permission to edit this file. And custom
libraries will only be used when the solrconfig is trusted by Solr.
Right now the [config-edit permission
documentation|https://solr.apache.org/guide/solr/9_1/deployment-guide/rule-based-authorization-plugin.html#predefined-permissions]
does not explicitly spell out that the permission gives users the ability to
install any custom library to Solr. We should fix this to reduce confusion
around RCEs.
With our antora docs, I suggest we backport this documentation change to 9.0
and 9.1, and also update 8.11 for the next patch release.
was:
A lot of security questions arise from various options to add custom libraries
via a {{{}solrconfig.xml{}}}. When using the recommended solr auth plugin, a
user requires the {{config-edit}} permission to edit this file. And custom
libraries will only be used when the solrconfig is trusted by Solr.
Right now the [config-edit permission
documentation|https://solr.apache.org/guide/solr/latest/deployment-guide/rule-based-authorization-plugin.html#predefined-permissions]
does not explicitly spell out that the permission gives users the ability to
install any custom library to Solr. We should fix this to reduce confusion
around RCEs.
With our antora docs, I suggest we backport this documentation change to 9.0
and 9.1, and also update 8.11 for the next patch release.
> Explicitly call out library permissions for config-edit
> -------------------------------------------------------
>
> Key: SOLR-16671
> URL: https://issues.apache.org/jira/browse/SOLR-16671
> Project: Solr
> Issue Type: Improvement
> Security Level: Public(Default Security Level. Issues are Public)
> Components: Authorization, documentation, security
> Reporter: Houston Putman
> Priority: Major
>
> A lot of security questions arise from various options to add custom
> libraries via a {{{}solrconfig.xml{}}}. When using the recommended solr auth
> plugin, a user requires the {{config-edit}} permission to edit this file. And
> custom libraries will only be used when the solrconfig is trusted by Solr.
> Right now the [config-edit permission
> documentation|https://solr.apache.org/guide/solr/9_1/deployment-guide/rule-based-authorization-plugin.html#predefined-permissions]
> does not explicitly spell out that the permission gives users the ability to
> install any custom library to Solr. We should fix this to reduce confusion
> around RCEs.
> With our antora docs, I suggest we backport this documentation change to 9.0
> and 9.1, and also update 8.11 for the next patch release.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org
