[jira] [Commented] (DERBY-5571) IndexStatisticsDaemonImpl.schedule should wrap Thread.setDaemon() in a privilege block

Tue, 17 Jan 2012 14:36:05 -0800 

    [ 
https://issues.apache.org/jira/browse/DERBY-5571?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13188079#comment-13188079
 ] 

Kristian Waagan commented on DERBY-5571:
----------------------------------------

It would be nice to get this confirmed by someone with more intimate knowledge 
on the topic.

I'm fine with making our use of setDaemon consistent. This may or may not 
involve using doPrivileged blocks.
I'm more reluctant to making modifyThread a required permission, but we seem to 
be in agreement on this point.
                
> IndexStatisticsDaemonImpl.schedule  should wrap Thread.setDaemon() in a 
> privilege block
> ---------------------------------------------------------------------------------------
>
>                 Key: DERBY-5571
>                 URL: https://issues.apache.org/jira/browse/DERBY-5571
>             Project: Derby
>          Issue Type: Bug
>            Reporter: Kathey Marsden
>
> IndexStatisticsDaemonImple.schedule() has the following code. setDaemon can 
> throw a SecurityException so should be wrapped. It says: SecurityException - 
> if the current thread cannot modify this thread.
> Does this mean that our documentation should require modifyThreadGroup privs 
> too?
> Currently it is in our test policy but not the documentation:
> // These permissions are needed by AssertFailure to dump the thread stack
>   // traces upon failure.
>   //permission java.lang.RuntimePermission "getStackTrace";
>   permission java.lang.RuntimePermission "modifyThreadGroup";
>                // If we're idle, fire off the worker thread.
>                 if (runningThread == null) {
>                     runningThread = new Thread(this, "index-stat-thread");
>                     // Make the thread a daemon thread, we don't want it to 
> stop
>                     // the JVM from exiting. This is a precaution.
>                     runningThread.setDaemon(true);
> Marking as a regression as a security violation could make existing 
> statements fail.
>                     

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to