[jira] [Updated] (DERBY-5571) IndexStatisticsDaemonImpl.schedule should wrap Thread.setDaemon() in a privilege block

Tue, 17 Jan 2012 13:34:03 -0800 

     [ 
https://issues.apache.org/jira/browse/DERBY-5571?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Kathey Marsden updated DERBY-5571:
----------------------------------

      Issue & fix info:   (was: High Value Fix)
               Urgency: Low
    Bug behavior facts: Security  (was: Security,Regression)

Thanks Kristian for looking at this so closely.  My knee jerk reaction has 
always been to wrap anything that can throw a SecurityException but I see other 
places where setDaemon is called with out doing so and if the default 
implementation does not require it, I think it would be fine to set a low 
priority to fixing this issue.  I have never used it before, but perhaps 
"Later" is an appropriate resolution for this issue.  I don't think 
modifyThread should be a required permission.


                
> IndexStatisticsDaemonImpl.schedule  should wrap Thread.setDaemon() in a 
> privilege block
> ---------------------------------------------------------------------------------------
>
>                 Key: DERBY-5571
>                 URL: https://issues.apache.org/jira/browse/DERBY-5571
>             Project: Derby
>          Issue Type: Bug
>            Reporter: Kathey Marsden
>
> IndexStatisticsDaemonImple.schedule() has the following code. setDaemon can 
> throw a SecurityException so should be wrapped. It says: SecurityException - 
> if the current thread cannot modify this thread.
> Does this mean that our documentation should require modifyThreadGroup privs 
> too?
> Currently it is in our test policy but not the documentation:
> // These permissions are needed by AssertFailure to dump the thread stack
>   // traces upon failure.
>   //permission java.lang.RuntimePermission "getStackTrace";
>   permission java.lang.RuntimePermission "modifyThreadGroup";
>                // If we're idle, fire off the worker thread.
>                 if (runningThread == null) {
>                     runningThread = new Thread(this, "index-stat-thread");
>                     // Make the thread a daemon thread, we don't want it to 
> stop
>                     // the JVM from exiting. This is a precaution.
>                     runningThread.setDaemon(true);
> Marking as a regression as a security violation could make existing 
> statements fail.
>                     

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to