Return-Path: Delivered-To: apmail-db-derby-dev-archive@www.apache.org Received: (qmail 16288 invoked from network); 17 Nov 2006 17:46:14 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 17 Nov 2006 17:46:14 -0000 Received: (qmail 20271 invoked by uid 500); 17 Nov 2006 17:46:23 -0000 Delivered-To: apmail-db-derby-dev-archive@db.apache.org Received: (qmail 20233 invoked by uid 500); 17 Nov 2006 17:46:23 -0000 Mailing-List: contact derby-dev-help@db.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: Delivered-To: mailing list derby-dev@db.apache.org Received: (qmail 20220 invoked by uid 99); 17 Nov 2006 17:46:23 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 17 Nov 2006 09:46:23 -0800 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests=UNPARSEABLE_RELAY X-Spam-Check-By: apache.org Received-SPF: pass (herse.apache.org: local policy) Received: from [192.18.42.249] (HELO nwk-ea-fw-1.sun.com) (192.18.42.249) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 17 Nov 2006 09:46:08 -0800 Received: from d1-sfbay-09.sun.com ([192.18.39.119]) by nwk-ea-fw-1.sun.com (8.13.6+Sun/8.12.9) with ESMTP id kAHHjl6U011280 for ; Fri, 17 Nov 2006 09:45:47 -0800 (PST) Received: from conversion-daemon.d1-sfbay-09.sun.com by d1-sfbay-09.sun.com (Sun Java System Messaging Server 6.2-6.01 (built Apr 3 2006)) id <0J8V00701YK85X00@d1-sfbay-09.sun.com> (original mail from Richard.Hillegas@Sun.COM) for derby-dev@db.apache.org; Fri, 17 Nov 2006 09:45:47 -0800 (PST) Received: from [192.9.61.67] by d1-sfbay-09.sun.com (Sun Java System Messaging Server 6.2-6.01 (built Apr 3 2006)) with ESMTPSA id <0J8V00HTZYOA3S52@d1-sfbay-09.sun.com> for derby-dev@db.apache.org; Fri, 17 Nov 2006 09:45:47 -0800 (PST) Date: Fri, 17 Nov 2006 09:45:20 -0800 From: Rick Hillegas Subject: plugging more security holes in Derby Sender: Richard.Hillegas@Sun.COM To: derby-dev@db.apache.org Message-id: <455DF530.1060004@sun.com> MIME-version: 1.0 Content-type: text/plain; format=flowed; charset=ISO-8859-1 Content-transfer-encoding: 7BIT User-Agent: Thunderbird 1.5.0.5 (X11/20060828) X-Virus-Checked: Checked by ClamAV on apache.org The 10.2 GRANT/REVOKE work was a big step forward in making Derby more secure in a client/server configuration. I'd like to plug some more security holes in 10.3. In particular, I'd like to focus on authorization issues which the ANSI spec doesn't address. I would appreciate feedback from the community: what do you think are the most important outstanding security issues? Here are the important issues which occur to me. I'm not sure that GRANT/REVOKE will end up being the right way to plug these holes. Maybe for some issues, maybe not for others. At this point I just want to survey what's missing: Missing privileges that are above the level of a single database: - Create Database - Shutdown System Missing privileges specific to a particular database: - Connect to that Database - Shutdown that Database - Create (in that Database) Java Plugins (currently Functions/Procedures, but someday Aggregates and VTIs) What other issues do you think we should list? (Note that 10.2 gave us GRANT/REVOKE control over the following database-specific issues, via granting execute privilege to system procedures: Jar Handling Backup Routines Admin Routines Import/Export Property Handling Check Table ) I would appreciate the community's advice. Thanks, -Rick