[
https://issues.apache.org/jira/browse/SOLR-16671?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17690987#comment-17690987
]
ASF subversion and git services commented on SOLR-16671:
--------------------------------------------------------
Commit c9fa21d3bda2ce36740655c928c8a2fc3b3458b6 in lucene-solr's branch
refs/heads/branch_8_11 from Houston Putman
[ https://gitbox.apache.org/repos/asf?p=lucene-solr.git;h=c9fa21d3bda ]
SOLR-16671: Explicitly call out library permissions for config-edit
> Explicitly call out library permissions for config-edit
> -------------------------------------------------------
>
> Key: SOLR-16671
> URL: https://issues.apache.org/jira/browse/SOLR-16671
> Project: Solr
> Issue Type: Improvement
> Security Level: Public(Default Security Level. Issues are Public)
> Components: Authorization, documentation, security
> Reporter: Houston Putman
> Priority: Major
> Time Spent: 20m
> Remaining Estimate: 0h
>
> A lot of security questions arise from various options to add custom
> libraries via a {{{}solrconfig.xml{}}}. When using the recommended solr auth
> plugin, a user requires the {{config-edit}} permission to edit this file. And
> custom libraries will only be used when the solrconfig is trusted by Solr.
> Right now the [config-edit permission
> documentation|https://solr.apache.org/guide/solr/9_1/deployment-guide/rule-based-authorization-plugin.html#predefined-permissions]
> does not explicitly spell out that the permission gives users the ability to
> install any custom library to Solr. We should fix this to reduce confusion
> around RCEs.
> With our antora docs, I suggest we backport this documentation change to 9.0
> and 9.1, and also update 8.11 for the next patch release.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org
