lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Uwe Schindler (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (LUCENE-4352) only the test runner should be able to System.exit
Date Tue, 04 Sep 2012 07:05:08 GMT

    [ https://issues.apache.org/jira/browse/LUCENE-4352?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13447515#comment-13447515
] 

Uwe Schindler edited comment on LUCENE-4352 at 9/4/12 6:04 PM:
---------------------------------------------------------------

For the test-framework an example for using AccessControler.doPrivileged() would be:
- Policy denies e.g. file access outside the test runner J0 working dir (which may be a good
idea) -> "untrusted code"
- But Policy allows writing files outside the J0 working directory for the test-framework.jar
file itself -> "trusted code"

The problem here would be: 
- "untrusted" code calls "trusted" code, e.g. the test ("untrusted") calls a method from test-framework
that writes outside base directory. The calling "untrusted" code is not allowed to do this,
but the test-framework itsself ("trusted") is allowed to do this.
- SecurityManager would disallow this, but that may not what we want.

The naming of AccessController.doPrivileged is a little bit misleading. It does not mean something
is "privileged", it just tells that the closure should not be handled by access checks of
the code calling you, but with the context of your own code. This is always needed when untrusted
code calls trusted code which would normally have higher rights.

The above example might be a good solution (limit write access to test-runner's local private
"J0" directory only).
                
      was (Author: thetaphi):
    For the test-framework an example for using AccessControler.doPrivileged() would be:
- Policy denies e.g. file access outside the test runner JAR (which may be a good idea) ->
"untrusted code"
- But Policy allows writing files outside the J0 working directory for the test-framework.jar
file itself -> "trusted code"

The problem here would be: 
- "untrusted" code calls "trusted" code, e.g. the test ("untrusted") calls a method from test-framework
that writes outside base directory. The calling "untrusted" code is not allowed to do this,
but the test-framework itsself ("trusted") is allowed to do this.
- SecurityManager would disallow this, but that may not what we want.

The naming of AccessController.doPrivileged is a little bit misleading. It does not mean something
is "privileged", it just tells that the closure should not be handled by access checks of
the code calling you, but with the context of your own code. This is always needed when untrusted
code calls trusted code which would normally have higher rights.

The above example might be a good solution (limit write access to test-runner's local private
"J0" directory only).
                  
> only the test runner should be able to System.exit
> --------------------------------------------------
>
>                 Key: LUCENE-4352
>                 URL: https://issues.apache.org/jira/browse/LUCENE-4352
>             Project: Lucene - Core
>          Issue Type: Bug
>          Components: general/test
>    Affects Versions: 4.0-BETA
>            Reporter: Robert Muir
>            Assignee: Uwe Schindler
>             Fix For: 5.0, 4.0
>
>         Attachments: LUCENE-4352.patch, LUCENE-4352.patch, LUCENE-4352.patch, LUCENE-4352.patch,
LUCENE-4352.patch
>
>
> All others should get SecurityException

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org


Mime
View raw message