db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daniel John Debrunner (JIRA)" <j...@apache.org>
Subject [jira] Commented: (DERBY-3477) Make format principal names in SystemPermission (e.g. policy files) match the standard way Derby handles authorization identifiers in a Java context.
Date Fri, 29 Feb 2008 05:14:51 GMT

    [ https://issues.apache.org/jira/browse/DERBY-3477?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12573594#action_12573594
] 

Daniel John Debrunner commented on DERBY-3477:
----------------------------------------------

I think this work-around in the current format permission handling introduces a security hole:

+            principals.add(new SystemPrincipal(user));
+            principals.add(new SystemPrincipal(getAuthorizationId(user)));

This jumps out as wrong to me as SystemPrincipal is being passed a user names in two forms,
one in a string form that corresponds to a SQL identifier format (including support for delimited
identifiers), the other in a common-normal-form. Any time one passes different concepts to
the same code it's a recipe for bugs.

Say the user name is a delimited identifier, user="fred", e.g. in a java program the URL might
look like:

    String url = "jdbc:derby:db;user=\"fred\";password=8dkkw";

then the common form of the name is fred. Then the Subject has two SystemPrincipals  "fred"
and fred.

Now a grant in the policy file of

  grant principal org.apache.derby.authentication.SystemPrincipal "fred";

will successfully grant the permission to this user. Though the intention is that the permission
is granted to the authentication id that has FRED as its cnf.

Now lets see what happens is the user=fred, ie.

    String url = "jdbc:derby:db;user=fred;password=de7343";

thus it has a cnf of FRED. Thus the subject has two SystemPrincipals,  fred and FRED

Now that previous grant also works for this user.

Thus a single grant that was intended for a single user actually satisfies two users, that's
a security hole.


> Make format principal names in SystemPermission (e.g. policy files) match the standard
way Derby handles authorization identifiers in a Java context.
> -----------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: DERBY-3477
>                 URL: https://issues.apache.org/jira/browse/DERBY-3477
>             Project: Derby
>          Issue Type: Sub-task
>          Components: Security
>            Reporter: Daniel John Debrunner
>
> Expected format described in:
> https://issues.apache.org/jira/browse/DERBY-2109?focusedCommentId=12561537#action_12561537

> Comments in DERBY--2109 around patch 10 indicate some issue around implementing this,
it would be good to see the code that attempted to implement it to help figure out the problem.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message