db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Knut Anders Hatlen (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (DERBY-6598) Document permissions recommendations for JAR procedures
Date Wed, 04 Jun 2014 08:32:02 GMT

    [ https://issues.apache.org/jira/browse/DERBY-6598?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14017492#comment-14017492

Knut Anders Hatlen commented on DERBY-6598:

Actually, is the security policy even relevant here? We're talking about fine-grained user
authorization (GRANT statement). Should jar file access also be an issue or is that not relevant
when the jar files are stored in the database?

I think you're right that you don't need extra permissions in the security policy in order
to use the jar files that are already stored in the database. You do need them in order to
install the jar files in the database, though. That is, SQLJ.INSTALL_JAR needs to be granted
permission to read the external jar file in order to copy it into the database.

Since we grant file permissions to derby.jar and not to a specific procedure, I think you're
right that those permissions are not as relevant. If you want to prevent a user from installing
jar files into the database, not granting the execute permission on the SQLJ procedures is
more targeted and probably more effective than limiting which directories the jar files can
be installed from.

I think the "Configuring Java security" topic of the security guide covers this under "Backups/imports/jars"
but might need an added note on this subject.

See also above. Since the FilePermissions are granted to derby.jar, SQLJ.INSTALL_JAR/SQLJ.REPLACE_JAR
could take advantage of any FilePermission("read") granted to derby.jar, for example on derby.system.home
or on the backup/import directories. So I'm not sure we can do much more than giving a general
advice that the FilePermissions (or, actually, any kind of permission) should be granted as
restrictively as possible, if we don't already do that. It's not necessary to tie that advice
to these specific procedures, I think.

The "Execute privileges" sections of the individual procedure topics in the Reference Manual
need the information.


In the Developer's Guide, the info should probably be added to the "Jar file examples" topic,
the parent of the one that shows how to use the procedures.

Yes. There is already a cross-reference back to the reference manual, but I can't see any
harm in spelling it out.

There's a mention of the procedures in one of the replication topics in the Admin Guide, but
it cross-references both the Dev Guide and the Reference Manual, so I don't think anything
needs to be added there.

Agreed. Nothing needs to be added to that topic.

> Document permissions recommendations for JAR procedures
> -------------------------------------------------------
>                 Key: DERBY-6598
>                 URL: https://issues.apache.org/jira/browse/DERBY-6598
>             Project: Derby
>          Issue Type: Bug
>          Components: Documentation
>    Affects Versions:
>            Reporter: Kim Haase
>            Assignee: Kim Haase
> It's been recommended that we should make the documentation of the SQLJ.INSTALL_JAR procedure
(and SQLJ.REPLACE_JAR) state more explicitly that the privilege should only be granted to
trusted users. For example:
> "Since this procedure can be used to install arbitrary code that runs in the same Java
Virtual Machine as the Derby database engine, the execution privilege should only be granted
to trusted users."
> This needs to go into the Reference Manual topics on these procedures as well as other
locations where they are discussed.

This message was sent by Atlassian JIRA

View raw message