[
https://issues.apache.org/jira/browse/SOLR-16671?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Houston Putman resolved SOLR-16671.
-----------------------------------
Fix Version/s: 8.11.3
9.2
Assignee: Houston Putman
Resolution: Done
> Explicitly call out library permissions for config-edit
> -------------------------------------------------------
>
> Key: SOLR-16671
> URL: https://issues.apache.org/jira/browse/SOLR-16671
> Project: Solr
> Issue Type: Improvement
> Security Level: Public(Default Security Level. Issues are Public)
> Components: Authorization, documentation, security
> Reporter: Houston Putman
> Assignee: Houston Putman
> Priority: Major
> Fix For: 8.11.3, 9.2
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> A lot of security questions arise from various options to add custom
> libraries via a {{{}solrconfig.xml{}}}. When using the recommended solr auth
> plugin, a user requires the {{config-edit}} permission to edit this file. And
> custom libraries will only be used when the solrconfig is trusted by Solr.
> Right now the [config-edit permission
> documentation|https://solr.apache.org/guide/solr/9_1/deployment-guide/rule-based-authorization-plugin.html#predefined-permissions]
> does not explicitly spell out that the permission gives users the ability to
> install any custom library to Solr. We should fix this to reduce confusion
> around RCEs.
> With our antora docs, I suggest we backport this documentation change to 9.0
> and 9.1, and also update 8.11 for the next patch release.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org
