db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kathey Marsden (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (DERBY-5363) Tighten default permissions of DB files with >= JDK6
Date Thu, 01 Sep 2011 15:40:09 GMT

    [ https://issues.apache.org/jira/browse/DERBY-5363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13095355#comment-13095355
] 

Kathey Marsden commented on DERBY-5363:
---------------------------------------

Dag Said ...
"The whole point of doing this is "to protect users against themselves", i.e. provide a default
that is secure rather than insecure."

For embedded the default has always been focused on zero admin and so pretty much wide open
by default and not secure.  Users have to take specific steps to secure Derby and absorb the
necessary administration and work to secure it.  I think many embedded applications require
multiple user access and that is a perfectly valid use of the product.  I don't think we can
justify breaking these applications to protect some other users from  themselves.

I am more comfortable with changing the command line startup for Network Server as it is not
a zero admin solution. Multiple connecting client users  will not be affected by the permission
change and we have already made efforts to improve default security.   Although they exist,
it is harder to think of valid  scenarios where multiple users need to start network server
and I think we could mitigate it from a support perspective, which I don't think we could
for embedded.  

Whether the default changes or it doesn't and in what scenarios I think it would be wise to
consult the user list and get feedback.  I think the user I talked to was certainly right
when he said:
"there are times when a component *really* needs to change default behavior, but it should
only be after a lot of consideration and adopter buy-in" 

Dag, can you bring this issue up on the user list?   I could do it, but I think since you
are driving the change  it would be most appropriate for you to initiate the user list discussion.
 I think it will also help raise awareness for current users that they need their umask set
appropriately if they want the files protected.


 




> Tighten default permissions of DB files with >= JDK6
> ----------------------------------------------------
>
>                 Key: DERBY-5363
>                 URL: https://issues.apache.org/jira/browse/DERBY-5363
>             Project: Derby
>          Issue Type: Improvement
>          Components: Miscellaneous, Services, Store
>            Reporter: Dag H. Wanvik
>            Assignee: Dag H. Wanvik
>         Attachments: derby-5363-basic-1.diff, derby-5363-basic-1.stat, derby-5363-basic-2.diff,
derby-5363-basic-2.stat, permission-5.diff, permission-5.stat, permission-6.diff, permission-6.stat,
property-table.png, z.sql
>
>
> Before Java 6, files created by Derby would have the default
> permissions of the operating system context. Under Unix, this would
> depend on the effective umask of the process that started the Java VM.
> In Java 6 and 7, there are methods available that allows tightening up this
> (File.setReadable, setWritable), making it less likely that somebody
> would accidentally run Derby with a too lenient default.
> I suggest we take advantage of this, and let Derby by default (in Java
> 6 and higher) limit the visibility to the OS user that starts the VM,
> e.g. on Unix this would be equivalent to running with umask 0077. More
> secure by default is good, I think.
> We could have a flag, e.g. "derby.storage.useDefaultFilePermissions"
> that when set to true, would give the old behavior.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message