Return-Path: Delivered-To: apmail-db-derby-dev-archive@www.apache.org Received: (qmail 85234 invoked from network); 28 Nov 2006 19:07:39 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 28 Nov 2006 19:07:39 -0000 Received: (qmail 35546 invoked by uid 500); 28 Nov 2006 19:07:48 -0000 Delivered-To: apmail-db-derby-dev-archive@db.apache.org Received: (qmail 35506 invoked by uid 500); 28 Nov 2006 19:07:47 -0000 Mailing-List: contact derby-dev-help@db.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: Delivered-To: mailing list derby-dev@db.apache.org Received: (qmail 35497 invoked by uid 99); 28 Nov 2006 19:07:47 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 28 Nov 2006 11:07:47 -0800 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received-SPF: neutral (herse.apache.org: local policy) Received: from [32.97.182.142] (HELO e2.ny.us.ibm.com) (32.97.182.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 28 Nov 2006 11:07:33 -0800 Received: from d01relay02.pok.ibm.com (d01relay02.pok.ibm.com [9.56.227.234]) by e2.ny.us.ibm.com (8.13.8/8.12.11) with ESMTP id kASJ7A5B004354 for ; Tue, 28 Nov 2006 14:07:10 -0500 Received: from d01av01.pok.ibm.com (d01av01.pok.ibm.com [9.56.224.215]) by d01relay02.pok.ibm.com (8.13.6/8.13.6/NCO v8.1.1) with ESMTP id kASJ7AR9256500 for ; Tue, 28 Nov 2006 14:07:10 -0500 Received: from d01av01.pok.ibm.com (loopback [127.0.0.1]) by d01av01.pok.ibm.com (8.12.11.20060308/8.13.3) with ESMTP id kASJ79VK017802 for ; Tue, 28 Nov 2006 14:07:09 -0500 Received: from [127.0.0.1] (DMCSDJDT41P.usca.ibm.com [9.72.133.51]) by d01av01.pok.ibm.com (8.12.11.20060308/8.12.11) with ESMTP id kASJ78sT017736 for ; Tue, 28 Nov 2006 14:07:09 -0500 Message-ID: <456C88DC.8080009@apache.org> Date: Tue, 28 Nov 2006 11:07:08 -0800 From: Daniel John Debrunner User-Agent: Thunderbird 1.5.0.8 (Windows/20061025) MIME-Version: 1.0 To: derby-dev@db.apache.org Subject: Java routine security Was Re: plugging more security holes in Derby References: <455DF530.1060004@sun.com> <456B8353.7030806@apache.org> <456C4AE9.2030607@sun.com> In-Reply-To: <456C4AE9.2030607@sun.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org Rick Hillegas wrote: > Daniel John Debrunner wrote: >> Rick Hillegas wrote: >>> - Create (in that Database) Java Plugins (currently >>> Functions/Procedures, but someday Aggregates and VTIs) >> >> Can you explain what this means, what security issue are you trying to >> address? > I'm concerned about being able to exploit security holes in code not > supplied by Derby or the application. For instance, security holes in > the jdk classes or in other applications hosted on the same vm. This is actually due to an extension to the SQL standard (part 13) that Derby and other databases provide. The ability to have the EXTERNAL NAME for a Java routine to be a method in a class without specifying an installed jar file name. The security model provided by SQL part 13 does provide security by only allowing routines to resolve to a specific installed jar file and providing the USAGE privilege on installed jar files. Derby follows a different path, basically adding an installed jar file to derby.database.classpath implicitly grants USAGE on that jar to PUBLIC. The ability to perform this implicit grant is, as you say, itself under GRANT/REVOKE because one must have EXECUTE permission on the procedure to set the database property. Then in addition the class in external name in Derby need not come from a jar file, but can be resolved from the vm's classpath. So one part of the solution would be to enhance Derby to support installed jar names in EXTERNAL NAME and to implement the USAGE privilege, following the SQL standard (part 13). Then to address the resolution of routines that do not specify an installed jar name in EXTERNAL NAME Derby could change from an implictly adding the current classpath to the database classpath to a model where it must explictily be added. Maybe fixed tokens like: JRE - routines can resolve to any classes that start with java. and javax. CLASSPATH - routines can resolve to any classes that are on the vm's classpath E.g. derby.database.classpath= - No resolution of any routines that do not specify a jar file. derby.database.classpath=SALES.SALES_FORCAST - Only resolve methods from SALES.SALES_FORCAST derby.database.classpath=JRE:SALES.SALES_FORCAST - Only resolve methods from the JRE's java. and javax. classes and classes in SALES.SALES_FORCAST derby.database.classpath=CLASSPATH:SALES.SALES_FORCAST - Only resolve methods from the current classpath, excluding java. and javax classes, and those from SALES.SALES_FORCAST derby.database.classpath=JRE:CLASSPATH:SALES.SALES_FORCAST - Resolve methods as 10.2. Dan.