Return-Path: Delivered-To: apmail-db-derby-dev-archive@www.apache.org Received: (qmail 48994 invoked from network); 23 Jan 2006 18:33:46 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 23 Jan 2006 18:33:46 -0000 Received: (qmail 13606 invoked by uid 500); 23 Jan 2006 18:33:45 -0000 Delivered-To: apmail-db-derby-dev-archive@db.apache.org Received: (qmail 13364 invoked by uid 500); 23 Jan 2006 18:33:44 -0000 Mailing-List: contact derby-dev-help@db.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: Delivered-To: mailing list derby-dev@db.apache.org Received: (qmail 13355 invoked by uid 99); 23 Jan 2006 18:33:44 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 23 Jan 2006 10:33:44 -0800 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received-SPF: neutral (asf.osuosl.org: local policy) Received: from [32.97.182.143] (HELO e3.ny.us.ibm.com) (32.97.182.143) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 23 Jan 2006 10:33:43 -0800 Received: from d01relay02.pok.ibm.com (d01relay02.pok.ibm.com [9.56.227.234]) by e3.ny.us.ibm.com (8.12.11/8.12.11) with ESMTP id k0NIXLln031166 for ; Mon, 23 Jan 2006 13:33:21 -0500 Received: from d01av04.pok.ibm.com (d01av04.pok.ibm.com [9.56.224.64]) by d01relay02.pok.ibm.com (8.12.10/NCO/VERS6.8) with ESMTP id k0NIXLeK126592 for ; Mon, 23 Jan 2006 13:33:21 -0500 Received: from d01av04.pok.ibm.com (loopback [127.0.0.1]) by d01av04.pok.ibm.com (8.12.11/8.13.3) with ESMTP id k0NIXLHu006343 for ; Mon, 23 Jan 2006 13:33:21 -0500 Received: from [127.0.0.1] (sig-9-48-112-78.mts.ibm.com [9.48.112.78]) by d01av04.pok.ibm.com (8.12.11/8.12.11) with ESMTP id k0NIXKLf006255 for ; Mon, 23 Jan 2006 13:33:21 -0500 Message-ID: <43D52165.3060206@apache.org> Date: Mon, 23 Jan 2006 10:33:09 -0800 From: Daniel John Debrunner User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20040910 X-Accept-Language: en-us, en, de MIME-Version: 1.0 To: derby-dev@db.apache.org Subject: Re: Working with security policy References: <1879766428.1137188780570.JavaMail.jira@ajax.apache.org> <43CFCFC7.9090903@apache.org> <43CFEB45.8020702@sun.com> <43D43524.4000307@sbcglobal.net> <43D4FBB0.5040504@sun.com> In-Reply-To: <43D4FBB0.5040504@sun.com> X-Enigmail-Version: 0.90.0.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N David W. Van Couvering wrote: >>> When I was doing the classloader work, I had to grant permission to >>> the Derby codebase to be able to do classloader-related work >>> (createClassloader, accessClassInPackage.sun.reflect, getClassloader, >>> getProtectionDomain). If there's a good justification for a permission then it's fine to make Derby dependent on it. From a high level view of what you are doing I would have concerns about Derby code needing accessClassInPackage.sun.reflect, getClassloader and getProtectionDomain. Esepecially the one with sun.reflect, isn't that granting internal access to a class of a specific VM implementation? I look at the problem from the view of someone who is running Derby on behalf of a third-party application on their own machine. What minimal set of permissions do they have to grant to Derby? What's the explanation for those permissions? Can they feel comfortable running such an application with the permissions granted? If we said Derby has to be granted permission to read all files, read and write all system properties, etc. then Derby would not be attractive in those situations. >>> How do I know whether granting a certain permission is shadowing a >>> "bug" versus the right thing to do? I don't think there's any shortcut here. One has to understand what resources Derby accesses and does/could that new permission have any effect on those existing accesses. There were/are two ways that I see that granting a permission for reason X could hide a bug: 1) The permission is granted to multiple jars when only one jar requires it. Now that the policy file for the tests split the grants into per-jar sections the chance of this should be low. 2) The permission granted is broader than is actually required for X, and so other code can using it without anyone realising that such a dependency exists. E.g. granting read on all properties hides the fact that the engine might be incorrectly reading user.dir when it should be limited to derby.* properties. Part of my DERBY-615 work is to deliver a write-up on the existing security permissions needed. Dan.