[
https://issues.apache.org/jira/browse/DERBY-5363?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13095355#comment-13095355
]
Kathey Marsden commented on DERBY-5363:
---------------------------------------
Dag Said ...
"The whole point of doing this is "to protect users against themselves", i.e.
provide a default that is secure rather than insecure."
For embedded the default has always been focused on zero admin and so pretty
much wide open by default and not secure. Users have to take specific steps to
secure Derby and absorb the necessary administration and work to secure it. I
think many embedded applications require multiple user access and that is a
perfectly valid use of the product. I don't think we can justify breaking
these applications to protect some other users from themselves.
I am more comfortable with changing the command line startup for Network Server
as it is not a zero admin solution. Multiple connecting client users will not
be affected by the permission change and we have already made efforts to
improve default security. Although they exist, it is harder to think of valid
scenarios where multiple users need to start network server and I think we
could mitigate it from a support perspective, which I don't think we could for
embedded.
Whether the default changes or it doesn't and in what scenarios I think it
would be wise to consult the user list and get feedback. I think the user I
talked to was certainly right when he said:
"there are times when a component *really* needs to change default behavior,
but it should only be after a lot of consideration and adopter buy-in"
Dag, can you bring this issue up on the user list? I could do it, but I think
since you are driving the change it would be most appropriate for you to
initiate the user list discussion. I think it will also help raise awareness
for current users that they need their umask set appropriately if they want the
files protected.
> Tighten default permissions of DB files with >= JDK6
> ----------------------------------------------------
>
> Key: DERBY-5363
> URL: https://issues.apache.org/jira/browse/DERBY-5363
> Project: Derby
> Issue Type: Improvement
> Components: Miscellaneous, Services, Store
> Reporter: Dag H. Wanvik
> Assignee: Dag H. Wanvik
> Attachments: derby-5363-basic-1.diff, derby-5363-basic-1.stat,
> derby-5363-basic-2.diff, derby-5363-basic-2.stat, permission-5.diff,
> permission-5.stat, permission-6.diff, permission-6.stat, property-table.png,
> z.sql
>
>
> Before Java 6, files created by Derby would have the default
> permissions of the operating system context. Under Unix, this would
> depend on the effective umask of the process that started the Java VM.
> In Java 6 and 7, there are methods available that allows tightening up this
> (File.setReadable, setWritable), making it less likely that somebody
> would accidentally run Derby with a too lenient default.
> I suggest we take advantage of this, and let Derby by default (in Java
> 6 and higher) limit the visibility to the OS user that starts the VM,
> e.g. on Unix this would be equivalent to running with umask 0077. More
> secure by default is good, I think.
> We could have a flag, e.g. "derby.storage.useDefaultFilePermissions"
> that when set to true, would give the old behavior.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
