Return-Path: Delivered-To: apmail-db-derby-dev-archive@www.apache.org Received: (qmail 69971 invoked from network); 9 Jul 2007 21:17:21 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 9 Jul 2007 21:17:21 -0000 Received: (qmail 71091 invoked by uid 500); 9 Jul 2007 21:17:24 -0000 Delivered-To: apmail-db-derby-dev-archive@db.apache.org Received: (qmail 70972 invoked by uid 500); 9 Jul 2007 21:17:23 -0000 Mailing-List: contact derby-dev-help@db.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: Delivered-To: mailing list derby-dev@db.apache.org Received: (qmail 70962 invoked by uid 99); 9 Jul 2007 21:17:23 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 09 Jul 2007 14:17:23 -0700 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received-SPF: neutral (herse.apache.org: local policy) Received: from [68.142.198.204] (HELO smtp105.sbc.mail.mud.yahoo.com) (68.142.198.204) by apache.org (qpsmtpd/0.29) with SMTP; Mon, 09 Jul 2007 14:17:20 -0700 Received: (qmail 68284 invoked from network); 9 Jul 2007 21:16:58 -0000 Received: from unknown (HELO ?9.72.133.77?) (ddebrunner@sbcglobal.net@32.97.110.142 with plain) by smtp105.sbc.mail.mud.yahoo.com with SMTP; 9 Jul 2007 21:16:58 -0000 X-YMail-OSG: v0vfyC8VM1kY1wH_DeRIeRHsXdcv4JfjEZtoCp940sZe7_iwBgvR9F74Iq4zvHmAYz6qTKbF.w-- Message-ID: <4692A55A.9080406@apache.org> Date: Mon, 09 Jul 2007 14:15:06 -0700 From: Daniel John Debrunner User-Agent: Thunderbird 1.5.0.12 (Windows/20070509) MIME-Version: 1.0 To: derby-dev@db.apache.org Subject: Re: what is the right way to fix the import/export security issues (DERBY-2436, DERBY-2437)? References: <46929F54.1060500@sbcglobal.net> In-Reply-To: <46929F54.1060500@sbcglobal.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org Mike Matrigali wrote: > I am hoping to get a discussion going on how the right way to fix these > issues. As I understand it the ability to read/write files is currently > inherited from derby.jar where the import/export system procedures > currently reside. The problem is that this means the they can be used > to bypass the normal database level read/write access to derby system > files: property files, database files, log files, temp files. As dan > has pointed out I believe the current policy files may allow in one > database but access files in a completely different database so the > scope of the files is larger than just the current database. > > I don't know much about security manager possibilities so maybe someone > who knows can point the way. > > Some approaches: > 1) try to code access privileges in the routines themselves, that is > separate from java security manager. Basically > disallow access to derby files by adding code logic to determine if > the files being read/written are derby files. This is not too hard to > do if you > only want to disallow under the current database subtree, but gets > harder under any derby subtree. > So I think this approach would check for files named: > derby.properties > system.properties > log/log*.dat > log/log.ctrl > log/logmirror.ctrl > seg0/*.dat > > I think temporary files also, and I think they can be anywhere. I like the above approach, simple but likely covers most of situations. The list would need to include jar/*.jar. I also think you mean service.properties and not system.properties. A "right" Java fix might be to introduce new Derby permissions for import and export. Then derby.jar would need to be granted those permissions in order to import/export. The permissions could use java.io.FilePermission (write for Export, read for Import). Dan.