You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "David Handermann (Jira)" <ji...@apache.org> on 2022/04/19 18:54:00 UTC

[jira] [Commented] (NIFI-9937) Prevent NiFi From Deleting Its Own Configuration Files

    [ https://issues.apache.org/jira/browse/NIFI-9937?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17524536#comment-17524536 ] 

David Handermann commented on NIFI-9937:
----------------------------------------

Thanks for describing this issue [~msr1716].

NiFi supports the concept of [Restricted Components|https://nifi.apache.org/docs/nifi-docs/html/user-guide.html#Restricted_Components_in_Versioned_Flows], which allow an administrator to limit access to components that are capable of certain activities, such as accessing the filesystem.

Several other components have the same types of issues described for {{GetFile}}. For instance, the {{ExecuteStreamCommand}} processor can run commands as the NiFi user, potentially impacting the behavior of NiFi itself. Other processors that support custom scripts or alternative languages also provide the ability to influence the behavior of NiFi itself.

The Java [Security Manager|https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/lang/SecurityManager.html] provides the ability to prevent certain types of behavior, such as changing System properties, accessing files, or opening sockets. However, Java 17 deprecated the SecurityManager for removal in future versions. At this time, there does not appear to be a clear alternative, but something along that line seems like it would provide a the best approach to protecting NiFi from dangerous component settings.

With the ability to support custom extensions, attempting to solve this problem for a particular component does not address the broader concern.

In light of the fact that NiFi isolates component class-loading, other strategies such as runtime method interception and evaluation might be an option. A robust solution would not be trivial, and may have performance implications, articulating the general goals would be helpful in evaluating potential issues and resolutions.

> Prevent NiFi From Deleting Its Own Configuration Files
> ------------------------------------------------------
>
>                 Key: NIFI-9937
>                 URL: https://issues.apache.org/jira/browse/NIFI-9937
>             Project: Apache NiFi
>          Issue Type: Improvement
>    Affects Versions: 1.16.0, 1.15.3, 1.16.1
>         Environment: Linux and Windows
>            Reporter: Mike R
>            Priority: Major
>
> There should be a way for NiFi to be unable to delete the files in the .conf directory using the GetFile Processor. 
> This is meant as a way to prevent unintended deletion of the files in the directory by administrators and prevent attackers from using the GetFile processor to delete files in the directory.
> One way to do this would be accomplished is by changing the GetFile Processor to not delete any file from the .conf directory, regardless of the user selection. Another way is to change the permissions of the directory. Any solutions are welcome, but this should be resolved.



--
This message was sent by Atlassian Jira
(v8.20.7#820007)