db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dag H. Wanvik (JIRA)" <j...@apache.org>
Subject [jira] Updated: (DERBY-2264) Restrict shutdown, upgrade, and encryption powers to the database owner
Date Wed, 21 Feb 2007 16:32:06 GMT

     [ https://issues.apache.org/jira/browse/DERBY-2264?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Dag H. Wanvik updated DERBY-2264:

    Attachment: encrypt-3.sql

Looking at (re)encryption, I see that the functional specification
says, when describing current behavior: "anyone who can connect can
(re)encrypt the database". It is actually worse than that, currently
anyone (sic) can, even when authentication is on:

1a) boot a database, even if authentication fails

1b) boot an encrypted database just by knowing the boot password, even
    if authentication fails 

2) encrypt a database, even if authentication fails

3) re-encrypt a database only by knowing bootPassword/encryption key,
   even if authentication fails

These side-effects of otherwise botched connection attempts can be a
little surprising ;)

(Re)encryption happens at boot time, and no authentication is
performed until after the database is booted (user credentials may be
database local). Scenario 2) above is especially bad, since it allows
a rogue user to effectively make the database unavailable to all
legitimate users once it has been shut down. I was not aware of this,
is it pointed out in the current documentation? I uploaded repro
scripts for the above cases 1b, 2 and 3 for illustration.

As I see it now, we can attempt enforcement of 2) and 3) by first
booting the database, then authenticate. If authentication succeeds
and user is database owner, we will shutdown the database and boot it
over again with the (re)encryption now taking place. 

Whether or not 1), the booting, should be limited by privileges is
outside the scope of this JIRA issue, I think.

> Restrict shutdown, upgrade, and encryption powers to the database owner
> -----------------------------------------------------------------------
>                 Key: DERBY-2264
>                 URL: https://issues.apache.org/jira/browse/DERBY-2264
>             Project: Derby
>          Issue Type: New Feature
>          Components: Security, SQL
>            Reporter: Rick Hillegas
>         Assigned To: Dag H. Wanvik
>         Attachments: dbaPowers.html, dbaPowers.html, DERBY-2264-1.diff, DERBY-2264-1.stat,
encrypt-1b.sql, encrypt-2.sql, encrypt-3.sql
> This JIRA separates out the database-owner powers from the system privileges in the master
security JIRA DERBY-2109. Restrict the following powers to the database owner for the moment:
shutdown, upgrade, and encryption.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message