db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dag H. Wanvik (JIRA)" <j...@apache.org>
Subject [jira] Commented: (DERBY-2963) AccessControlException: Access denied java.net.SocketPermission <client ip> accept,resolve
Date Tue, 24 Jul 2007 17:00:31 GMT

    [ https://issues.apache.org/jira/browse/DERBY-2963?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12515028

Dag H. Wanvik commented on DERBY-2963:

Did some digging on the "listen" privilege and the other socket

The default policy file (java.home/lib/security/java.policy) contains
this line:

        // allows anyone to listen on un-privileged ports
	permission java.net.SocketPermission "localhost:1024-", "listen";

If the user specifies a port below 1024, the default policy file would
not work for any interface. Is this acceptable? For running with root
privileges, privileged ports is a valid use case, otherwise "1024-" is
enough. To handle privileged ports we need to add another line the
policy file:

       permission java.net.SocketPermission "localhost", "listen"; 

or, to tighten it down, add code to produced the correct line e.g. so
for IPv4 (would not work for IPv6 probably..)
    permission java.net.SocketPermission "localhost:${derby.security.port}", "listen"; 

(Note that even if we specify -h x.x.x.x it is still "localhost" that
needs to get the extra privileges for listening.)

Other than "listen" and "accept", we also need "resolve", but that is
implied by "accept".

So in summary, the present patch is sufficient; unless we want the
default policy to allow using privileged ports. What do you think?

> AccessControlException: Access denied java.net.SocketPermission <client ip> accept,resolve
> ------------------------------------------------------------------------------------------
>                 Key: DERBY-2963
>                 URL: https://issues.apache.org/jira/browse/DERBY-2963
>             Project: Derby
>          Issue Type: Bug
>          Components: Network Server
>    Affects Versions:,
>         Environment: SuseLinux 10
> IBM JVM 1.5
>            Reporter: Daniel John Debrunner
>            Priority: Blocker
>             Fix For:
>         Attachments: DERBY-2963-1.diff, DERBY-2963-1.stat
> I start the server using an ipv4 address
> java derbyrun.jar server start -h x.x.x.x
> Then I connect from a remote client  and hit an AccessControlException
> The ip in the exception is that of the *client*, not the server.
> This setup works in
> Same problem if the hostname is in derby.properties
> Problem can be worked around by using -noSecurityManager when starting the server

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message