Return-Path: Delivered-To: apmail-db-derby-dev-archive@www.apache.org Received: (qmail 73768 invoked from network); 22 Nov 2006 17:46:08 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 22 Nov 2006 17:46:08 -0000 Received: (qmail 42343 invoked by uid 500); 22 Nov 2006 17:46:18 -0000 Delivered-To: apmail-db-derby-dev-archive@db.apache.org Received: (qmail 42313 invoked by uid 500); 22 Nov 2006 17:46:18 -0000 Mailing-List: contact derby-dev-help@db.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: Delivered-To: mailing list derby-dev@db.apache.org Received: (qmail 42303 invoked by uid 99); 22 Nov 2006 17:46:17 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 22 Nov 2006 09:46:17 -0800 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests=UNPARSEABLE_RELAY X-Spam-Check-By: apache.org Received-SPF: pass (herse.apache.org: local policy) Received: from [192.18.42.249] (HELO nwk-ea-fw-1.sun.com) (192.18.42.249) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 22 Nov 2006 09:46:03 -0800 Received: from d1-sfbay-09.sun.com ([192.18.39.119]) by nwk-ea-fw-1.sun.com (8.13.6+Sun/8.12.9) with ESMTP id kAMHjbYm005528 for ; Wed, 22 Nov 2006 09:45:37 -0800 (PST) Received: from conversion-daemon.d1-sfbay-09.sun.com by d1-sfbay-09.sun.com (Sun Java System Messaging Server 6.2-6.01 (built Apr 3 2006)) id <0J95005017XA0D00@d1-sfbay-09.sun.com> (original mail from Richard.Hillegas@Sun.COM) for derby-dev@db.apache.org; Wed, 22 Nov 2006 09:45:37 -0800 (PST) Received: from [192.9.61.67] by d1-sfbay-09.sun.com (Sun Java System Messaging Server 6.2-6.01 (built Apr 3 2006)) with ESMTPSA id <0J9500HJH8003NLY@d1-sfbay-09.sun.com> for derby-dev@db.apache.org; Wed, 22 Nov 2006 09:45:36 -0800 (PST) Date: Wed, 22 Nov 2006 09:45:09 -0800 From: Rick Hillegas Subject: Re: plugging more security holes in Derby In-reply-to: Sender: Richard.Hillegas@Sun.COM To: derby-dev@db.apache.org Message-id: <45648CA5.8000207@sun.com> MIME-version: 1.0 Content-type: text/plain; format=flowed; charset=ISO-8859-1 Content-transfer-encoding: 7BIT References: <455DF530.1060004@sun.com> User-Agent: Thunderbird 1.5.0.5 (X11/20060828) X-Virus-Checked: Checked by ClamAV on apache.org Dag H. Wanvik wrote: > Thanks for starting this discussion, Rick, I am also interested in > looking at this. > > Rick Hillegas writes: > Thanks, Dag! > >> ... >> >> Missing privileges that are above the level of a single database: >> >> - Create Database >> - Shutdown System >> > > Do we need a privilge for bootAll? BTW, I am not sure how bootAll > property is supposed to work, I could not find it documented. > Agreed. I've added this to the list in DERBY-2109. > >> Missing privileges specific to a particular database: >> >> - Connect to that Database >> - Shutdown that Database >> - Create (in that Database) Java Plugins (currently >> Functions/Procedures, but someday Aggregates and VTIs) >> > > Maybe a separate privilege to upgrade a database would be desirable, > at least hard upgrade. And a privilege to encrypt/re-encrypt a > database? > Agreed. I've added this to the list in DERBY-2109 also. > I assume the new database level system privileges will that require > SQL authorization mode is active, not just the connection > authorization, or...? In a way they are orthogonal, since system > privileges are not defined by SQL. If bundled the name > (derby.database.sqlAuthorization) would be slightly misleading.. > My mind is trending that way too: GRANT/REVOKE would be a natural way to control the per-database privileges even though it would be an extension to the ANSI spec. Other databases use GRANT/REVOKE to control these sorts of non-ANSI privileges. I could talk myself into extending the meaning of derby.database.sqlAuthorization to embrace these non-ANSI privileges: the mechanism (GRANT/REVOKE) is ANSI even though the specific privileges aren't. > The new system level system privileges (e.g. shutdown), would they > also be enabled by SQL authorization mode? > > Dag > > I will try to collect my thoughts on this topic and circulate them later today. Thanks! -Rick