[
https://issues.apache.org/jira/browse/DERBY-6648?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Rick Hillegas updated DERBY-6648:
---------------------------------
Attachment: derby-6648-01-aa-oneActionList.diff
Attaching derby-6648-01-aa-oneActionList.diff. This is a first rev of a patch
for this issue. No tests included.
This patch adds a new action for engine SystemPermissions. In order to get your
hands on Derby contexts, you need to grant the engine the following
SystemPermission:
permission org.apache.derby.security.SystemPermission "engine",
"usederbyinternals";
I have stumbled across an annoying behavior of SystemPermission. It seems that
you can only grant your protection domain one kind of engine permission. You
have to put all of your engine actions into one permission. So, in order to use
the JMX beans as well, you need to grant this composite permission:
permission org.apache.derby.security.SystemPermission "engine",
"monitor,usederbyinternals";
You can't split that up into two engine permissions. The second engine
permission overwrites the first one. This fails:
permission org.apache.derby.security.SystemPermission "engine",
"usederbyinternals";
permission org.apache.derby.security.SystemPermission "engine", "monitor";
Touches the following files:
M java/engine/org/apache/derby/iapi/services/context/ContextService.java
M java/engine/org/apache/derby/iapi/security/SecurityUtil.java
M java/engine/org/apache/derby/jdbc/EmbeddedDriver.java
M java/engine/org/apache/derby/security/SystemPermission.java
> Application code should not be able to call ContextService.getContextOrNull()
> -----------------------------------------------------------------------------
>
> Key: DERBY-6648
> URL: https://issues.apache.org/jira/browse/DERBY-6648
> Project: Derby
> Issue Type: Bug
> Components: Services
> Affects Versions: 10.11.1.1
> Reporter: Rick Hillegas
> Attachments: derby-6648-01-aa-oneActionList.diff
>
>
> By calling ContextService.getContextOrNull() (and its relatives), application
> code can get its hands on all sorts of internal Derby contexts, factories,
> and managers. This allows application code to bypass SQL authorization checks
> and perform sensitive or data-corrupting actions.
> For instance, right now an application can use this method to get its hands
> on the language connection context. From the lcc, the application can get its
> hands on the data dictionary and the execution transaction. Armed with those
> objects, the application can bypass authorization checks and create schema
> objects, users, and permissions.
> Only Derby code should be able to call this powerful method.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
