Return-Path: 
 <derby-dev-return-50823-apmail-db-derby-dev-archive=db.apache.org@db.apache.org>
Delivered-To: apmail-db-derby-dev-archive@www.apache.org
Received: (qmail 83799 invoked from network); 9 Nov 2007 09:33:52 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2)
  by minotaur.apache.org with SMTP; 9 Nov 2007 09:33:52 -0000
Received: (qmail 971 invoked by uid 500); 9 Nov 2007 09:33:31 -0000
Delivered-To: apmail-db-derby-dev-archive@db.apache.org
Received: (qmail 930 invoked by uid 500); 9 Nov 2007 09:33:30 -0000
Mailing-List: contact derby-dev-help@db.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:derby-dev-help@db.apache.org>
List-Unsubscribe: <mailto:derby-dev-unsubscribe@db.apache.org>
List-Post: <mailto:derby-dev@db.apache.org>
List-Id: <derby-dev.db.apache.org>
Reply-To: <derby-dev@db.apache.org>
Delivered-To: mailing list derby-dev@db.apache.org
Received: (qmail 921 invoked by uid 99); 9 Nov 2007 09:33:30 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 09 Nov 2007 01:33:30 -0800
X-ASF-Spam-Status: No, hits=-1.0 required=10.0
	tests=RCVD_IN_DNSWL_LOW,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: local policy)
Received: from [192.18.6.21] (HELO gmp-eb-mail-1.sun.com) (192.18.6.21)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 09 Nov 2007 09:33:30 +0000
Received: from fe-emea-09.sun.com (gmp-eb-lb-2-fe2.eu.sun.com [192.18.6.11])
	by gmp-eb-mail-1.sun.com (8.13.7+Sun/8.12.9) with ESMTP id lA99Wvqq023208
	for <derby-dev@db.apache.org>; Fri, 9 Nov 2007 09:33:07 GMT
Received: from conversion-daemon.fe-emea-09.sun.com by fe-emea-09.sun.com
 (Sun Java System Messaging Server 6.2-8.04 (built Feb 28 2007))
 id <0JR800201F7LAI00@fe-emea-09.sun.com>
 (original mail from Dyre.Tjeldvoll@Sun.COM) for derby-dev@db.apache.org; Fri,
 09 Nov 2007 09:32:57 +0000 (GMT)
Received: from khepri32.sun.com ([129.159.112.244])
 by fe-emea-09.sun.com (Sun Java System Messaging Server 6.2-8.04 (built Feb
 28
 2007)) with ESMTPSA id <0JR8007K2FUNFW00@fe-emea-09.sun.com> for
 derby-dev@db.apache.org; Fri, 09 Nov 2007 09:32:48 +0000 (GMT)
Date: Fri, 09 Nov 2007 10:32:47 +0100
From: Dyre.Tjeldvoll@Sun.COM
Subject: Re: Installing a SecurityManager by default when the server boots
In-reply-to: <x1o31wazsrjk.fsf@sun.com>
Sender: Dyre.Tjeldvoll@Sun.COM
To: derby-dev@db.apache.org
Message-id: <x1o3wssrrcg0.fsf@sun.com>
MIME-version: 1.0
Content-type: text/plain; charset=us-ascii
Content-transfer-encoding: 7BIT
References: <47320BAE.60609@sun.com> <x1o31wazsrjk.fsf@sun.com>
User-Agent: Gnus/5.110004 (No Gnus v0.4) Emacs/22.1 (usg-unix-v)
X-Virus-Checked: Checked by ClamAV on apache.org

Dyre.Tjeldvoll@Sun.COM writes:

> Rick Hillegas <Richard.Hillegas@Sun.COM> writes:
>
>> As of release 10.3, when you boot the network server from the command
>> line, the server installs a Java SecurityManager with a default
>> policy. This change (DERBY-2196) limits the ability of hackers,
>> connecting from arbitrary machines, to use Derby to corrupt the
>> environment in which it is running. In addition, this change provides
>> a foundation on which we can add more security features
>> incrementally. As a result of this change, we have learned more about
>> how Derby behaves when run under a SecurityManager--that in turn, has
>> helped us discover more permissions which we need to add to the
>> template used as a starting point for configuring a Derby security
>> policy.
>>
>> Unfortunately, this change has proved painful to some users. See, for
>> instance, DERBY-3086 and the ongoing discussion on DERBY-3083.
>>
>> Now that we have some experience with the 10.3 release, I would like
>> to ask the community to review the wisdom of this change. Do we still
>> think that this is the correct default behavior? Or should we consider
>> turning off this feature in the upcoming 10.3 maintenance release?
>
> Personally, I have always been a fan of the "if you don't need it,
> you should not have to pay for it" philosophy. Where "pay" could mean
> anything from a performance hit to extra hassles when getting started.

An example: If I start the Swing-based JUnit test runner with a suite
as argument, it runs fine. But if I try to browse for another suite or test
from the same runner I get

Exception in thread "AWT-EventQueue-0" java.security.AccessControlException: access denied (java.util.PropertyPermission java.class.path read)
        at java.security.AccessControlContext.checkPermission(AccessControlContext.java:323)
        at java.security.AccessController.checkPermission(AccessController.java:546)
        at java.lang.SecurityManager.checkPermission(SecurityManager.java:532)
        at java.lang.SecurityManager.checkPropertyAccess(SecurityManager.java:1285)
        at java.lang.System.getProperty(System.java:652)
        at junit.runner.ClassPathTestCollector.collectTests(ClassPathTestCollector.java:25)
        at junit.swingui.TestSelector.createTestList(TestSelector.java:257)
        at junit.swingui.TestSelector.<init>(TestSelector.java:125)
        at junit.swingui.TestRunner.browseTestClasses(TestRunner.java:532)
        at junit.swingui.TestRunner$10.actionPerformed(TestRunner.java:348)


Now, what nasty hacker attack is prevented by not letting
JUnit read the classpath :)

-- 
dt