db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel John Debrunner <...@apache.org>
Subject Just how more secure is (will be) 10.3 than 10.2?
Date Tue, 05 Jun 2007 04:56:02 GMT
Rick Hillegas wrote on derby-user>

http://mail-archives.apache.org/mod_mbox/db-derby-user/200706.mbox/%3c46648064.6000809@sun.com%3e

> The upcoming release of Derby 10.3 will make networked configurations 
> safer by installing a Java security manager if the user forgets to 
> install one. [snip]. As a result, it will be harder 
> for hackers to corrupt multi-user applications and shared machines.

One item that's missing from the post to the user list and any 
discussion around this issue is how much more secure is 10.3 than 10.2? 
It's worth stepping back and looking at the overall picture. I'd hate 
for 10.3 to be overselling its security.

Assume that the server will boot with a security manager if one is not 
configured regardless of any authentication setting (ie. DERBY-2757 is 
fixed)

Let's take a case of a non-root user is running the network server from 
the command line (don't even want to think about root running it) and an 
unauthenticated network server accepting connections from remote clients.

For actions a remote user can perform, is 10.3 more secure?

File Access:
  - 10.3 probably disallows deleting any file (more secure)
  - 10.3 probably disallows navigating the directory structure (more secure)
  - 10.3 continues to allow a remote user to read or write any file the 
user that started the server has access to. A couple more steps are 
required to read/write any file but not a significant hurdle. The remote 
user probably needs to know the path to any file, but sometimes smart 
guessing can help here. (not much more secure)
  - Significant possibility the remote user could modify the server 
startup script and/or configuration to defeat some or all security.

Cause the JVM to stop:
  - 10.3 more secure, can no longer call System.exit() directly**
  - Is there a way to terminate the network server from a remote host 
though, thus stopping the jvm?

Can shutdown database system - 10.3 not more secure

Can create databases - 10.3 not more secure

Can shutdown database - 10.3 more secure only for SQL authorization 
databases assuming authentication set up for database.

Can encrypt/upgrade existing databases - 10.3 more secure only for SQL 
authorization databases assuming authentication set up for database.

Read/Set system properties:
  - 10.3 more secure than 10.2, remote user should not be able to read 
properties**
  - could a remote user infer a few system properties through having 
read access to any file?

Open arbitrary network connections - 10.3 more secure. Should be no 
ability to open sockets etc**

Other arbitrary java actions limited by security manager - 10.3 more 
secure, all such operations will be prohibited**

** assuming security has not been defeated by the remote user having the 
ability to modify files on the remote system.

Not sure on that basis if I would call 10.3 "safer". If there are N ways 
to break security and less than N is closed, then a system is not more 
secure.
I certainly think that any documentation or discussion should not imply 
in any way that 10.3 out of the box is a secure system. I see the 
security improvements as a journey and future releases may continue to 
break backwards compatibility by closing security holes. Or if that's 
not acceptable then Derby should at provide the ability to easily set up 
a secure system and make clear it's a SDK and not an out of the box 
client/server database.

Dan.


Mime
View raw message