Return-Path: X-Original-To: apmail-felix-dev-archive@www.apache.org Delivered-To: apmail-felix-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 027689E0D for ; Wed, 2 Nov 2011 22:49:16 +0000 (UTC) Received: (qmail 29634 invoked by uid 500); 2 Nov 2011 22:49:15 -0000 Delivered-To: apmail-felix-dev-archive@felix.apache.org Received: (qmail 29586 invoked by uid 500); 2 Nov 2011 22:49:15 -0000 Mailing-List: contact dev-help@felix.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@felix.apache.org Delivered-To: mailing list dev@felix.apache.org Received: (qmail 29578 invoked by uid 99); 2 Nov 2011 22:49:15 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 02 Nov 2011 22:49:15 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of karlpauls@gmail.com designates 209.85.216.49 as permitted sender) Received: from [209.85.216.49] (HELO mail-qw0-f49.google.com) (209.85.216.49) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 02 Nov 2011 22:49:11 +0000 Received: by qap15 with SMTP id 15so819164qap.22 for ; Wed, 02 Nov 2011 15:48:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; bh=uZj708ivWAhwUVel3MgJTG6lTS+RbucxDZtl0Q5FRkk=; b=nss8+MIwtYHv+8n72nmDFjyKpqNUC7iLw1WPlgdf0vxbe1HfQbTJ320DY07rE7GKkG 336pOk1baqOeZHZxpO85FhkjwYjqM0GgwF31WQLOk5XQHLmMBC5KSwXv423AY8qWGTvT 88TY8Vy1ns6UibwGAmf6BhTwT8dthIgTg2qoY= Received: by 10.182.226.33 with SMTP id rp1mr1325787obc.18.1320274130160; Wed, 02 Nov 2011 15:48:50 -0700 (PDT) MIME-Version: 1.0 Received: by 10.182.14.200 with HTTP; Wed, 2 Nov 2011 15:48:29 -0700 (PDT) In-Reply-To: References: <4EB15181.4080109@neat-it.de> From: Karl Pauls Date: Wed, 2 Nov 2011 23:48:29 +0100 Message-ID: Subject: Re: Security problem in Felix - Getting full file access within the cache directory To: dev@felix.apache.org Content-Type: text/plain; charset=ISO-8859-1 Rats, you are correct. I'll commit a patch right now. Could you build the security provider from trunk and see whether it works for you now (it does for me)? regards, Karl On Wed, Nov 2, 2011 at 11:12 PM, Karl Pauls wrote: > After looking at it for a bit, I agree, it seems there is a bug > somewhere. I'll investigate (again, feel free to create a JIRA issue). > > regards, > > Karl > > On Wed, Nov 2, 2011 at 4:32 PM, Karl Pauls wrote: >> Hi, >> >> could you create a jira issue for tracking this and if so maybe attach >> a reproducible scenario? >> >> Thanks. >> >> regards, >> >> Karl >> >> On Wed, Nov 2, 2011 at 3:19 PM, Michael Grammling >> wrote: >>> Hi there, >>> >>> it seems that there is a security problem in the "Framework Security" module >>> of Felix. >>> I have full access to the bundle cache directory from each bundle. >>> >>> Expectation: I should only get full access to the data storage of the bundle >>> itself. >>> Actually I was able to create files from Bundle 25 inside the data storage >>> of Bundle 0. >>> I even could delete the whole directory of Bundle 0. >>> >>> I checked the same with Knopflerfish which does this check correctly. >>> >>> Do I have to set more configuration parameters? >>> The OSGi specification defines that the framework should grant access to the >>> bundle's data storage. >>> >>> Best regards, >>> Michael >>> >>> >> >> >> >> -- >> Karl Pauls >> karlpauls@gmail.com >> http://twitter.com/karlpauls >> http://www.linkedin.com/in/karlpauls >> https://profiles.google.com/karlpauls >> > > > > -- > Karl Pauls > karlpauls@gmail.com > http://twitter.com/karlpauls > http://www.linkedin.com/in/karlpauls > https://profiles.google.com/karlpauls > -- Karl Pauls karlpauls@gmail.com http://twitter.com/karlpauls http://www.linkedin.com/in/karlpauls https://profiles.google.com/karlpauls