db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dag.Wan...@Sun.COM (Dag H. Wanvik)
Subject Re: plugging more security holes in Derby
Date Wed, 22 Nov 2006 17:06:37 GMT

Thanks for starting this discussion, Rick, I am also interested in
looking at this.

Rick Hillegas <Richard.Hillegas@Sun.COM> writes:

> The 10.2 GRANT/REVOKE work was a big step forward in making Derby more
> secure in a client/server configuration. I'd like to plug some more
> security holes in 10.3. In particular, I'd like to focus on
> authorization issues which the ANSI spec doesn't address. I would
> appreciate feedback from the community: what do you think are the most
> important outstanding security issues?
>
> Here are the important issues which occur to me. I'm not sure that
> GRANT/REVOKE will end up being the right way to plug these
> holes. Maybe for some issues, maybe not for others. At this point I
> just want to survey what's missing:
>
> Missing privileges that are above the level of a single database:
>
> - Create Database
> - Shutdown System

Do we need a privilge for bootAll? BTW, I am not sure how bootAll
property is supposed to work, I could not find it documented.

>
> Missing privileges specific to a particular database:
>
> - Connect to that Database
> - Shutdown that Database
> - Create (in that Database) Java Plugins (currently
> Functions/Procedures, but someday Aggregates and VTIs)

Maybe a separate privilege to upgrade a database would be desirable,
at least hard upgrade. And a privilege to encrypt/re-encrypt a
database?

I assume the new database level system privileges will that require
SQL authorization mode is active, not just the connection
authorization, or...? In a way they are orthogonal, since system
privileges are not defined by SQL. If bundled the name
(derby.database.sqlAuthorization) would be slightly misleading..

The new system level system privileges (e.g. shutdown), would they
also be enabled by SQL authorization mode?

Dag


>
> What other issues do you think we should list?
>
> (Note that 10.2 gave us GRANT/REVOKE control over the following
> database-specific issues, via granting execute privilege to system
> procedures:
>
> Jar Handling
> Backup Routines
> Admin Routines
> Import/Export
> Property Handling
> Check Table )
>
> I would appreciate the community's advice.
>
> Thanks,
> -Rick
>

-- 
Dag H. Wanvik
Sun Microsystems, Database Technology Group (DBTG)
Haakon VII gt. 7b, N-7485 Trondheim, Norway
Tel: x43496/+47 73842196, Fax:  +47 73842101

Mime
View raw message