Wow, thank you very much. I will take a look at it as soon as I can.
From: Rick Hillegas <rick.hille...@gmail.com>
Sent: Monday, August 20, 2018 9:02 PM
To: derby-user@db.apache.org
Subject: Re: Need help with security policy
Hey Mark,
I have reproduced some of your security policy problems with Derby 10.14.2.0 on
Java 11. I used the server.policy bundled with the product. I had to adjust the
policy file as follows:
1) Grant derbynet.jar the following additional permissions:
permission java.util.PropertyPermission "derby.*", "read,write";
permission java.net.SocketPermission "localhost:${derby.security.port}",
"connect,resolve";
2) Grant derbytools.jar the following additional permission:
permission java.util.PropertyPermission "*", "read,write";
3) Grant derbyclient.jar the following additional permission:
permission java.net.SocketPermission "localhost:${derby.security.port}",
"connect,resolve";
With those adjustments, the experiments ran successfully. I have attached the
files which I used for these experiments:
zstart - script to boot the server
zij - script to run a simple ij script using the client driver
zstop - script to shutdown the server
zz.policy - policy file used by all of the scripts
Hope this helps,
-Rick
On 8/20/18 5:49 AM, Michael Remijan wrote:
Hi Derby users.
I need some help getting the security policy right.
First, here is the command line with all the options for when I start Derby.
I'm pretty sure I got all these correct.
/home/derby/opt/java/bin/java -Dderby.drda.host=0.0.0.0
-Dderby.drda.portNumber=1527 -Dderby.system.home=/var/local/derby/1527
-Dderby.install.url=file:/home/derby/opt/derby/lib/<file://home/derby/opt/derby/lib/>
-Djava.security.manager
-Djava.security.policy=/var/local/derby/1527/security.policy -classpath
/home/derby/opt/derby/lib/derby.jar:/home/derby/opt/derby/lib/derbynet.jar:/home/derby/opt/derby/lib/derbytools.jar:/home/derby/opt/derby/lib/derbyoptionaltools.jar:/home/derby/opt/derby/lib/derbyclient.jar
org.apache.derby.drda.NetworkServerControl start
My Java version is:
OpenJDK 64-Bit Server VM Zulu11.1+23 (build 11-ea+22, mixed mode)
My Derby version is:
10.14.2.0
My Derby sysinfo is:
------------------ Java Information ------------------
Java Version: 11-ea
Java Vendor: Azul Systems, Inc.
Java home: /opt/zulu11.1+23-ea-jdk11-linux_x64
Java classpath:
/home/derby/opt/derby/lib/derby.jar:/home/derby/opt/derby/lib/derbynet.jar:/home/derby/opt/derby/lib/derbytools.jar:/home/derby/opt/derby/lib/derbyoptionaltools.jar:/home/derby/opt/derby/lib/derbyclient.jar
OS name: Linux
OS architecture: amd64
OS version: 4.15.0-20-generic
Java user name: derby
Java user home: /home/derby
Java user dir: /opt/db-derby-10.14.2.0-bin/bin
java.specification.name: Java Platform API Specification
java.specification.version: 11
java.runtime.version: 11-ea+22
--------- Derby Information --------
[/opt/db-derby-10.14.2.0-bin/lib/derby.jar] 10.14.2.0 - (1828579)
[/opt/db-derby-10.14.2.0-bin/lib/derbytools.jar] 10.14.2.0 - (1828579)
[/opt/db-derby-10.14.2.0-bin/lib/derbynet.jar] 10.14.2.0 - (1828579)
[/opt/db-derby-10.14.2.0-bin/lib/derbyclient.jar] 10.14.2.0 - (1828579)
[/opt/db-derby-10.14.2.0-bin/lib/derbyoptionaltools.jar] 10.14.2.0 - (1828579)
------------------------------------------------------
----------------- Locale Information -----------------
------------------------------------------------------
------------------------------------------------------
I copied the demo file from demo/templates/server.policy and I use it as my
/var/local/derby/1527/security. The only change I made to the demo file was to
*uncomment* the following permission:
permission java.io.FilePermission "<<ALL FILES>>",
"read,write,delete";
After running Derby with this security policy (see attached), the Derby network
server is able to start fine and I can connect remote clients successfully.
However, I have 2 problems which I haven't been able to resolve.
(1)
The first big problem is I cannot shutdown the the Derby network server while
it's running the security policy! Here is the commanline of the shutdown
command:
derby 5503 5498 0 07:43 pts/2 00:00:00 /home/derby/opt/java/bin/java
-Dderby.drda.host=0.0.0.0 -Dderby.drda.portNumber=1527
-Dderby.system.home=/var/local/derby/1527
-Dderby.install.url=file:/home/derby/opt/derby/lib/<file://home/derby/opt/derby/lib/>
-Djava.security.manager
-Djava.security.policy=/var/local/derby/1527/security.policy -classpath
/home/derby/opt/derby/lib/derby.jar:/home/derby/opt/derby/lib/derbynet.jar:/home/derby/opt/derby/lib/derbytools.jar:/home/derby/opt/derby/lib/derbyoptionaltools.jar:/home/derby/opt/derby/lib/derbyclient.jar
org.apache.derby.drda.NetworkServerControl shutdown
Here is the StackTrace I get trying to shutdown:
Mon Aug 20 07:43:45 CDT 2018 : access denied ("java.net.SocketPermission"
"0.0.0.0:1527" "connect,resolve")
java.security.AccessControlException: access denied
("java.net.SocketPermission" "0.0.0.0:1527" "connect,resolve")
at
java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
at
java.base/java.security.AccessController.checkPermission(AccessController.java:895)
at
java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:322)
at
java.base/java.lang.SecurityManager.checkConnect(SecurityManager.java:824)
at java.base/java.net.Socket.connect(Socket.java:586)
at java.base/java.net.Socket.connect(Socket.java:540)
at java.base/java.net.Socket.<init>(Socket.java:436)
at java.base/java.net.Socket.<init>(Socket.java:246)
at
java.base/javax.net.DefaultSocketFactory.createSocket(SocketFactory.java:277)
at
org.apache.derby.impl.drda.NetworkServerControlImpl$6.run(Unknown Source)
at
org.apache.derby.impl.drda.NetworkServerControlImpl$6.run(Unknown Source)
at java.base/java.security.AccessController.doPrivileged(Native
Method)
at
org.apache.derby.impl.drda.NetworkServerControlImpl.setUpSocket(Unknown Source)
at
org.apache.derby.impl.drda.NetworkServerControlImpl.shutdown(Unknown Source)
at
org.apache.derby.impl.drda.NetworkServerControlImpl.executeWork(Unknown Source)
at org.apache.derby.drda.NetworkServerControl.main(Unknown
Source)
Any help with this permission problem would be greatly appreciated.
(2)
When I try to run a database backup, I get a file permission exception.
Exception in thread "main" java.security.AccessControlException: access denied
("java.io.FilePermission" "/tmp/resiste-backup/1527/resiste-backup.sql" "read")
at
java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
at
java.base/java.security.AccessController.checkPermission(AccessController.java:895)
at
java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:322)
at
java.base/java.lang.SecurityManager.checkRead(SecurityManager.java:661)
at
java.base/java.io.FileInputStream.<init>(FileInputStream.java:146)
at
java.base/java.io.FileInputStream.<init>(FileInputStream.java:112)
at org.apache.derby.impl.tools.ij.Main$1.run(Unknown Source)
at org.apache.derby.impl.tools.ij.Main$1.run(Unknown Source)
at java.base/java.security.AccessController.doPrivileged(Native
Method)
at org.apache.derby.impl.tools.ij.Main.mainCore(Unknown Source)
at org.apache.derby.impl.tools.ij.Main.main(Unknown Source)
at org.apache.derby.tools.ij.main(Unknown Source)
I'm surprised at this exception because I specifically set the permission in my
security.policy file permission java.io.FilePermission "<<ALL FILES>>",
"read,write,delete";
So I'm not sure what's going on with this exception either. Any help would be
appreciated.
Mike
@mjremijan
