db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Kathey Marsden (Updated) (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (DERBY-5571) IndexStatisticsDaemonImpl.schedule should wrap Thread.setDaemon() in a privilege block
Date Tue, 17 Jan 2012 21:33:40 GMT

     [ https://issues.apache.org/jira/browse/DERBY-5571?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel

Kathey Marsden updated DERBY-5571:

      Issue & fix info:   (was: High Value Fix)
               Urgency: Low
    Bug behavior facts: Security  (was: Security,Regression)

Thanks Kristian for looking at this so closely.  My knee jerk reaction has always been to
wrap anything that can throw a SecurityException but I see other places where setDaemon is
called with out doing so and if the default implementation does not require it, I think it
would be fine to set a low priority to fixing this issue.  I have never used it before, but
perhaps "Later" is an appropriate resolution for this issue.  I don't think modifyThread should
be a required permission.

> IndexStatisticsDaemonImpl.schedule  should wrap Thread.setDaemon() in a privilege block
> ---------------------------------------------------------------------------------------
>                 Key: DERBY-5571
>                 URL: https://issues.apache.org/jira/browse/DERBY-5571
>             Project: Derby
>          Issue Type: Bug
>            Reporter: Kathey Marsden
> IndexStatisticsDaemonImple.schedule() has the following code. setDaemon can throw a SecurityException
so should be wrapped. It says: SecurityException - if the current thread cannot modify this
> Does this mean that our documentation should require modifyThreadGroup privs too?
> Currently it is in our test policy but not the documentation:
> // These permissions are needed by AssertFailure to dump the thread stack
>   // traces upon failure.
>   //permission java.lang.RuntimePermission "getStackTrace";
>   permission java.lang.RuntimePermission "modifyThreadGroup";
>                // If we're idle, fire off the worker thread.
>                 if (runningThread == null) {
>                     runningThread = new Thread(this, "index-stat-thread");
>                     // Make the thread a daemon thread, we don't want it to stop
>                     // the JVM from exiting. This is a precaution.
>                     runningThread.setDaemon(true);
> Marking as a regression as a security violation could make existing statements fail.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira


View raw message