[ http://issues.apache.org/jira/browse/DERBY-1598?page=all ]
Andreas Korneliussen closed DERBY-1598.
---------------------------------------
Resolution: Duplicate
Duplicate: http://issues.apache.org/jira/browse/DERBY-1241
> unable to boot exisiting database from network server when running with
> security manager
> ----------------------------------------------------------------------------------------
>
> Key: DERBY-1598
> URL: http://issues.apache.org/jira/browse/DERBY-1598
> Project: Derby
> Issue Type: Bug
> Components: Store
> Affects Versions: 10.2.0.0
> Reporter: Andreas Korneliussen
> Priority: Blocker
>
> Myrna van Lunteren reported the following:
> ====Quote============
> I ran into the following interesting situation with permissions
> granted as per derby_tests.policy, and I'm hoping someone can answer
> my questions:
> - start networkserver with derby_tests.policy as described in the
> remote server testing section of the java/testing/README.htm, but with
> -h <srvhostname>
> - start an ij session, connect to the server creating a database
> - disconnect, exit ij, shutdown networkserver
> so far ok
> - start networkserver again just like before
> - start ij again just like before, connect to the same database again
> results in:
> ERROR XJ040: DERBY SQL error: SQLCODE: -1, SQLSTATE: XJ040, SQLERRMC:
> Failed to start database 'bladb', see the next exception for
> details.::SQLSTATE: XJ001Java exception: 'access denied
> (java.io.FilePermission
> /home/myrna/tsttmp5/srv/bladb/log/logmirror.ctrl read):
> java.security.AccessControlException'.
> One can dis- and reconnect fine as long as the network server is up,
> but once it has been bounced, reconnect fails.
> derby.log shows no stack trace, even though the following properties
> are set in derby.properties in derby.system.home:
> derby.infolog.append=true
> derby.language.logStatementText=true
> derby.stream.error.logSeverityLevel=0
> ------------------
> ...
> 2006-07-26 23:49:38.402 GMT Thread[DRDAConnThread_3,5,main] (DATABASE
> = bladb), (DRDAID = {1}), Failed to start database 'bladb', see the
> next exception for details.
> 2006-07-26 23:49:38.404 GMT Thread[DRDAConnThread_3,5,main] (DATABASE
> = bladb), (DRDAID = {1}), Java exception: 'access denied
> (java.io.FilePermission
> /home/myrna/tsttmp5/srv/bladb/log/logmirror.ctrl read):
> java.security.AccessControlException'.
> ----------------
> The error goes away when I add the following permissions to derbynet.jar:
> // all databases under derby.system.home
> permission java.io.FilePermission "${derby.system.home}${/}-",
> "read, write, delete";
> ====End Quote ============
> I have reproduced this problem manually. After adding some tracing calls in
> ..drda.Database.makeConnection() I got this stack trace:
> java.sql.SQLException: Failed to start database
> '/export/home/tmp/devel/derbydev/testing/testdb', see the next exception for
> details.
> at
> org.apache.derby.impl.jdbc.SQLExceptionFactory.getSQLException(SQLExceptionFactory.java:44)
> at org.apache.derby.impl.jdbc.Util.newEmbedSQLException(Util.java:88)
> at org.apache.derby.impl.jdbc.Util.newEmbedSQLException(Util.java:94)
> at
> org.apache.derby.impl.jdbc.Util.generateCsSQLException(Util.java:173)
> at
> org.apache.derby.impl.jdbc.EmbedConnection.newSQLException(EmbedConnection.java:1955)
> at
> org.apache.derby.impl.jdbc.EmbedConnection.bootDatabase(EmbedConnection.java:1619)
> at
> org.apache.derby.impl.jdbc.EmbedConnection.<init>(EmbedConnection.java:216)
> at
> org.apache.derby.impl.jdbc.EmbedConnection30.<init>(EmbedConnection30.java:72)
> at
> org.apache.derby.jdbc.Driver30.getNewEmbedConnection(Driver30.java:73)
> at
> org.apache.derby.jdbc.InternalDriver.connect(InternalDriver.java:209)
> at
> org.apache.derby.jdbc.AutoloadedDriver.connect(AutoloadedDriver.java:116)
> at
> org.apache.derby.impl.drda.Database.makeConnection(Database.java:232)
> at
> org.apache.derby.impl.drda.DRDAConnThread.getConnFromDatabaseName(DRDAConnThread.java:1191)
> at
> org.apache.derby.impl.drda.DRDAConnThread.verifyUserIdPassword(DRDAConnThread.java:1169)
> at
> org.apache.derby.impl.drda.DRDAConnThread.parseSECCHK(DRDAConnThread.java:2758)
> at
> org.apache.derby.impl.drda.DRDAConnThread.parseDRDAConnection(DRDAConnThread.java:1031)
> at
> org.apache.derby.impl.drda.DRDAConnThread.processCommands(DRDAConnThread.java:874)
> at
> org.apache.derby.impl.drda.DRDAConnThread.run(DRDAConnThread.java:254)
> NEXT Exception follows
> java.security.AccessControlException: access denied (java.io.FilePermission
> /export/home/tmp/devel/derbydev/testing/testdb/log/logmirror.ctrl read)
> at
> java.security.AccessControlContext.checkPermission(AccessControlContext.java:269)
> at
> java.security.AccessController.checkPermission(AccessController.java:401)
> at java.lang.SecurityManager.checkPermission(SecurityManager.java:524)
> at java.lang.SecurityManager.checkRead(SecurityManager.java:863)
> at java.io.File.exists(File.java:678)
> at
> org.apache.derby.impl.store.raw.log.LogToFile.boot(LogToFile.java:2987)
> at
> org.apache.derby.impl.services.monitor.BaseMonitor.boot(BaseMonitor.java:1996)
> at
> org.apache.derby.impl.services.monitor.TopService.bootModule(TopService.java:290)
> at
> org.apache.derby.impl.services.monitor.BaseMonitor.startModule(BaseMonitor.java:542)
> at
> org.apache.derby.iapi.services.monitor.Monitor.bootServiceModule(Monitor.java:418)
> at
> org.apache.derby.impl.store.raw.data.BaseDataFileFactory.bootLogFactory(BaseDataFileFactory.java:1761)
> at
> org.apache.derby.impl.store.raw.data.BaseDataFileFactory.setRawStoreFactory(BaseDataFileFactory.java:1217)
> at org.apache.derby.impl.store.raw.RawStore.boot(RawStore.java:373)
> at
> org.apache.derby.impl.services.monitor.BaseMonitor.boot(BaseMonitor.java:1996)
> at
> org.apache.derby.impl.services.monitor.TopService.bootModule(TopService.java:290)
> at
> org.apache.derby.impl.services.monitor.BaseMonitor.startModule(BaseMonitor.java:542)
> at
> org.apache.derby.iapi.services.monitor.Monitor.bootServiceModule(Monitor.java:418)
> at
> org.apache.derby.impl.store.access.RAMAccessManager.boot(RAMAccessManager.java:987)
> at
> org.apache.derby.impl.services.monitor.BaseMonitor.boot(BaseMonitor.java:1996)
> at
> org.apache.derby.impl.services.monitor.TopService.bootModule(TopService.java:290)
> at
> org.apache.derby.impl.services.monitor.BaseMonitor.startModule(BaseMonitor.java:542)
> at
> org.apache.derby.iapi.services.monitor.Monitor.bootServiceModule(Monitor.java:418)
> at
> org.apache.derby.impl.db.BasicDatabase.bootStore(BasicDatabase.java:738)
> at org.apache.derby.impl.db.BasicDatabase.boot(BasicDatabase.java:178)
> at
> org.apache.derby.impl.services.monitor.BaseMonitor.boot(BaseMonitor.java:1996)
> at
> org.apache.derby.impl.services.monitor.TopService.bootModule(TopService.java:290)
> at
> org.apache.derby.impl.services.monitor.BaseMonitor.bootService(BaseMonitor.java:1831)
> at
> org.apache.derby.impl.services.monitor.BaseMonitor.startProviderService(BaseMonitor.java:1697)
> at
> org.apache.derby.impl.services.monitor.BaseMonitor.findProviderAndStartService(BaseMonitor.java:1577)
> at
> org.apache.derby.impl.services.monitor.BaseMonitor.startPersistentService(BaseMonitor.java:990)
> at
> org.apache.derby.iapi.services.monitor.Monitor.startPersistentService(Monitor.java:541)
> at
> org.apache.derby.impl.jdbc.EmbedConnection.bootDatabase(EmbedConnection.java:1602)
> at
> org.apache.derby.impl.jdbc.EmbedConnection.<init>(EmbedConnection.java:216)
> at
> org.apache.derby.impl.jdbc.EmbedConnection30.<init>(EmbedConnection30.java:72)
> at
> org.apache.derby.jdbc.Driver30.getNewEmbedConnection(Driver30.java:73)
> at
> org.apache.derby.jdbc.InternalDriver.connect(InternalDriver.java:209)
> at
> org.apache.derby.jdbc.AutoloadedDriver.connect(AutoloadedDriver.java:116)
> at
> org.apache.derby.impl.drda.Database.makeConnection(Database.java:232)
> at
> org.apache.derby.impl.drda.DRDAConnThread.getConnFromDatabaseName(DRDAConnThread.java:1191)
> at
> org.apache.derby.impl.drda.DRDAConnThread.verifyUserIdPassword(DRDAConnThread.java:1169)
> at
> org.apache.derby.impl.drda.DRDAConnThread.parseSECCHK(DRDAConnThread.java:2758)
> at
> org.apache.derby.impl.drda.DRDAConnThread.parseDRDAConnection(DRDAConnThread.java:1031)
> at
> org.apache.derby.impl.drda.DRDAConnThread.processCommands(DRDAConnThread.java:874)
> at
> org.apache.derby.impl.drda.DRDAConnThread.run(DRDAConnThread.java:254)
> It seems like the method org.apache.derby.impl.store.raw.log.LogToFile.boot
> calls File.exists() directly, instead of doing it in a privileged block.
> So, a fix could possibly be to use privExists(..) as below:
> Index: LogToFile.java
> ===================================================================
> --- LogToFile.java (revision 425403)
> +++ LogToFile.java (working copy)
> @@ -2985,7 +2985,7 @@
> }
>
> if (checkpointInstant ==
> LogCounter.INVALID_LOG_INSTANT &&
> -
> getMirrorControlFileName().exists())
> +
> privExists(getMirrorControlFileName()))
> {
> checkpointInstant =
> readControlFile(
> I have tested that running with this, I did not get the security exception.
> However, I have not run any other tests on the proposed patch.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
