[jira] [Commented] (DERBY-5363) Tighten default permissions of DB files with >= JDK6

Wed, 31 Aug 2011 09:35:34 -0700 

    [ 
https://issues.apache.org/jira/browse/DERBY-5363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13094668#comment-13094668
 ] 

Rick Hillegas commented on DERBY-5363:
--------------------------------------

I think that the default embedded behavior should also be to use the tighter 
file permissions. From the release notes, embedded users, like client/server 
users, can figure out how to disable the tighter permissions if necessary.

We have a significant security hole here: Broad permission is currently given 
to other users to type out conglomerates which contain sensitive information 
and to type out derby.log, which can contain SQL text. Backward compatibility 
is important but I believe it must be trumped by security fixes. I think that 
the security hole here is big enough to warrant breaking compatibility, 
particularly since a simple remedy removes the compatibility problem. Thanks.

> Tighten default permissions of DB files with >= JDK6
> ----------------------------------------------------
>
>                 Key: DERBY-5363
>                 URL: https://issues.apache.org/jira/browse/DERBY-5363
>             Project: Derby
>          Issue Type: Improvement
>            Reporter: Dag H. Wanvik
>         Attachments: derby-5363-basic-1.diff, derby-5363-basic-1.stat, 
> permission-5.diff, permission-5.stat, permission-6.diff, permission-6.stat, 
> property-table.png, z.sql
>
>
> Before Java 6, files created by Derby would have the default
> permissions of the operating system context. Under Unix, this would
> depend on the effective umask of the process that started the Java VM.
> In Java 6 and 7, there are methods available that allows tightening up this
> (File.setReadable, setWritable), making it less likely that somebody
> would accidentally run Derby with a too lenient default.
> I suggest we take advantage of this, and let Derby by default (in Java
> 6 and higher) limit the visibility to the OS user that starts the VM,
> e.g. on Unix this would be equivalent to running with umask 0077. More
> secure by default is good, I think.
> We could have a flag, e.g. "derby.storage.useDefaultFilePermissions"
> that when set to true, would give the old behavior.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to