accumulo-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sean Busbey (JIRA)" <>
Subject [jira] [Commented] (ACCUMULO-3224) Shell should use nanos for auth timeout
Date Tue, 14 Oct 2014 12:51:33 GMT


Sean Busbey commented on ACCUMULO-3224:

I think overall the shell timeout is a low risk since an attacker could always recompile the
code without a timeout in place. It might be worth a note in the operations manual about what
we expect from the OS and the remaining vulnerability (besides the recompile there's CLOCK_MONOTONIC
being subject to adjtimex). Worth a follow on ticket or an addendum?

> Shell should use nanos for auth timeout
> ---------------------------------------
>                 Key: ACCUMULO-3224
>                 URL:
>             Project: Accumulo
>          Issue Type: Improvement
>          Components: shell
>            Reporter: Christopher Tubbs
>            Assignee: Christopher Tubbs
>             Fix For: 1.5.3, 1.6.2, 1.7.0
>         Attachments: 0001-ACCUMULO-3224-Use-nanoTime-in-the-shell-s-auth-timeo.patch
>          Time Spent: 0.5h
>  Remaining Estimate: 0h
> I was looking at the code done for ACCUMULO-3221 and noticed that we're using the system
clock instead of the JDK's internal relative time, System.nanoTime(). This is a problem, because
any auth timeout that depends on the system clock can be easily bypassed by changing the system
> We can also do the time conversion more reliably with {{TimeUnit}} to avoid the potential
arithmetic bug identified in ACCUMULO-3221.

This message was sent by Atlassian JIRA

View raw message