[
https://issues.apache.org/jira/browse/DERBY-6598?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14017492#comment-14017492
]
Knut Anders Hatlen commented on DERBY-6598:
-------------------------------------------
{quote}
Actually, is the security policy even relevant here? We're talking about
fine-grained user authorization (GRANT statement). Should jar file access also
be an issue or is that not relevant when the jar files are stored in the
database?
{quote}
I think you're right that you don't need extra permissions in the security
policy in order to use the jar files that are already stored in the database.
You do need them in order to install the jar files in the database, though.
That is, SQLJ.INSTALL_JAR needs to be granted permission to read the external
jar file in order to copy it into the database.
Since we grant file permissions to derby.jar and not to a specific procedure, I
think you're right that those permissions are not as relevant. If you want to
prevent a user from installing jar files into the database, not granting the
execute permission on the SQLJ procedures is more targeted and probably more
effective than limiting which directories the jar files can be installed from.
{quote}
I think the "Configuring Java security" topic of the security guide covers this
under "Backups/imports/jars" but might need an added note on this subject.
{quote}
See also above. Since the FilePermissions are granted to derby.jar,
SQLJ.INSTALL_JAR/SQLJ.REPLACE_JAR could take advantage of any
FilePermission("read") granted to derby.jar, for example on derby.system.home
or on the backup/import directories. So I'm not sure we can do much more than
giving a general advice that the FilePermissions (or, actually, any kind of
permission) should be granted as restrictively as possible, if we don't already
do that. It's not necessary to tie that advice to these specific procedures, I
think.
{quote}
The "Execute privileges" sections of the individual procedure topics in the
Reference Manual need the information.
{quote}
+1
{quote}
In the Developer's Guide, the info should probably be added to the "Jar file
examples" topic, the parent of the one that shows how to use the procedures.
{quote}
Yes. There is already a cross-reference back to the reference manual, but I
can't see any harm in spelling it out.
{quote}
There's a mention of the procedures in one of the replication topics in the
Admin Guide, but it cross-references both the Dev Guide and the Reference
Manual, so I don't think anything needs to be added there.
{quote}
Agreed. Nothing needs to be added to that topic.
> Document permissions recommendations for JAR procedures
> -------------------------------------------------------
>
> Key: DERBY-6598
> URL: https://issues.apache.org/jira/browse/DERBY-6598
> Project: Derby
> Issue Type: Bug
> Components: Documentation
> Affects Versions: 10.11.0.0
> Reporter: Kim Haase
> Assignee: Kim Haase
>
> It's been recommended that we should make the documentation of the
> SQLJ.INSTALL_JAR procedure (and SQLJ.REPLACE_JAR) state more explicitly that
> the privilege should only be granted to trusted users. For example:
> "Since this procedure can be used to install arbitrary code that runs in the
> same Java Virtual Machine as the Derby database engine, the execution
> privilege should only be granted to trusted users."
> This needs to go into the Reference Manual topics on these procedures as well
> as other locations where they are discussed.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
