accumulo-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sean Busbey (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ACCUMULO-3224) Shell should use nanos for auth timeout
Date Tue, 14 Oct 2014 12:51:33 GMT

    [ https://issues.apache.org/jira/browse/ACCUMULO-3224?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14170870#comment-14170870
] 

Sean Busbey commented on ACCUMULO-3224:
---------------------------------------

I think overall the shell timeout is a low risk since an attacker could always recompile the
code without a timeout in place. It might be worth a note in the operations manual about what
we expect from the OS and the remaining vulnerability (besides the recompile there's CLOCK_MONOTONIC
being subject to adjtimex). Worth a follow on ticket or an addendum?

> Shell should use nanos for auth timeout
> ---------------------------------------
>
>                 Key: ACCUMULO-3224
>                 URL: https://issues.apache.org/jira/browse/ACCUMULO-3224
>             Project: Accumulo
>          Issue Type: Improvement
>          Components: shell
>            Reporter: Christopher Tubbs
>            Assignee: Christopher Tubbs
>             Fix For: 1.5.3, 1.6.2, 1.7.0
>
>         Attachments: 0001-ACCUMULO-3224-Use-nanoTime-in-the-shell-s-auth-timeo.patch
>
>          Time Spent: 0.5h
>  Remaining Estimate: 0h
>
> I was looking at the code done for ACCUMULO-3221 and noticed that we're using the system
clock instead of the JDK's internal relative time, System.nanoTime(). This is a problem, because
any auth timeout that depends on the system clock can be easily bypassed by changing the system
time.
> We can also do the time conversion more reliably with {{TimeUnit}} to avoid the potential
arithmetic bug identified in ACCUMULO-3221.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message