Mailing-List: contact derby-dev-help@db.apache.org; run by ezmlm
Precedence: bulk
Reply-To: <derby-dev@db.apache.org>
Date: Wed, 11 Apr 2012 22:05:16 +0000 (UTC)
From: "Dag H. Wanvik (Issue Comment Edited) (JIRA)" <jira@apache.org>
To: derby-dev@db.apache.org
Message-ID: 
 <1238294617.14912.1334181916846.JavaMail.tomcat@hel.zones.apache.org>
In-Reply-To: 
 <999711302.3511.1317660934206.JavaMail.tomcat@hel.zones.apache.org>
Subject: [jira] [Issue Comment Edited] (DERBY-5442) Create documentation for
 restrictive file permissions feature
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit


    [ https://issues.apache.org/jira/browse/DERBY-5442?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13251976#comment-13251976 ] 

Dag H. Wanvik edited comment on DERBY-5442 at 4/11/12 10:05 PM:
----------------------------------------------------------------

Maybe something like this can help?

"Controlling database file access

When Java creates new files, the visibility (access) of the new file
is normally determined by the JVM's environment and the file's location only,
cf. umask on Unix/Linux and default file permissions on Windows NTFS.

On Java 7 and newer, Derby may (further) restrict the file permissions
to the OS account that started the Java process, which is the minimum
needed for operation. This means that other operating system accounts
will have no access to directories or files created by Derby. This can
be helpful in enhancing default security for database files.
"

The exact behavior is determined by two factors: how the Derby engine
is started, and the the presence of (or not) and given value of the Java property
derby.storage.useDefaultFilePermissions.

The following matrix shows which approach is used:

<matrix>


For more information, see "derby.storage.useDefaultFilePermissions" in
the Derby Reference Manual.
                
      was (Author: dagw):
    Maybe something like this can help?

"Controlling database file access

When Java creates new files, the visibility (access) of the new file
is normally by JVM's environment and the file's location only,
cf. umask on Unix/Linux and defualt file permissions on Windows NTFS.

On Java 7 and newer, Derby may (further) restrict the file permissions
to the OS account that started the Java process, which is the minimum
needed for operation. This means that other operating system accounts
will have no access to directories or files created by Derby. This can
be helpful in enhancing default security for database files.
"

The exact behavior is determined by two factors: how the Derby engine
is started, and the the presence of (or not) and given value of the Java property
derby.storage.useDefaultFilePermissions.

The following matrix shows which approach is used:

<matrix>


For more information, see "derby.storage.useDefaultFilePermissions" in
the Derby Reference Manual.
                  
> Create documentation for restrictive file permissions feature
> -------------------------------------------------------------
>
>                 Key: DERBY-5442
>                 URL: https://issues.apache.org/jira/browse/DERBY-5442
>             Project: Derby
>          Issue Type: Sub-task
>          Components: Documentation
>            Reporter: Dag H. Wanvik
>            Assignee: Kim Haase
>             Fix For: 10.9.0.0
>
>         Attachments: DERBY-5442.diff, DERBY-5442.stat, DERBY-5442.zip
>
>


--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira