db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rick Hillegas (JIRA)" <j...@apache.org>
Subject [jira] Commented: (DERBY-2196) Run standalone network server with security manager by default
Date Thu, 08 Feb 2007 00:53:05 GMT

    [ https://issues.apache.org/jira/browse/DERBY-2196?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12471167
] 

Rick Hillegas commented on DERBY-2196:
--------------------------------------

Thanks for the additional feedback, Dan. If you think it's ok to not document these properties
in the user guides, then I'm fine with removing that task from the functional spec. I don't
see much point in exposing these to users and I agree that they are just pieces of our internal
plumbing--although we at least half-expose them to customers by including them in the template
policy file we ship with the release.

You point out an interesting security hole. I think that that hole exists regardless of whether
the black-hat jar file is ${derby.install.url} or ${derby.install.url}/lib/derby.jar. I don't
know how serious that hole is. I suspect that the person who has access to setting system
properties also has the power to do a lot of other harm.

To close that specific security hole, we could go back to the original idea of having the
network server cook up the Basic policy on the fly. That is, we would not paramterize the
location of the codesources.

> Run standalone network server with security manager by default
> --------------------------------------------------------------
>
>                 Key: DERBY-2196
>                 URL: https://issues.apache.org/jira/browse/DERBY-2196
>             Project: Derby
>          Issue Type: Improvement
>          Components: Network Server, Security
>            Reporter: Daniel John Debrunner
>         Assigned To: Rick Hillegas
>         Attachments: derby-2196-01-print-01.diff, derby-2196-01-print-02.diff, derby-2196-01-print-03.diff,
secureServer.html, secureServer.html, secureServer.html, secureServer.html, secureServer.html,
secureServer.html
>
>
> From an e-mail discussion:
> ... Derby should match the security  provided by typical client server systems such as
DB2, Oracle, etc. I 
> think in this case system/database owners are trusting the database 
> system to ensure that their system cannot be attacked. So maybe if Derby 
> is booted as a standalone server with no security manager involved, it 
> should install one with a default security policy. Thus allowing Derby 
> to use Java security manager to manage system privileges but not 
> requiring everyone to become familiar with them.
> http://mail-archives.apache.org/mod_mbox/db-derby-dev/200612.mbox/%3c4582FE67.7040308@apache.org%3e
> I imagine such a policy would allow any access to databases under derby.system.home and/or
user.home.
> By standalone I mean the network server was started though the main() method (command
line).

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message