Security errors accessing configurations in the file system
-----------------------------------------------------------
Key: FELIX-1479
URL: https://issues.apache.org/jira/browse/FELIX-1479
Project: Felix
Issue Type: Bug
Components: Configuration Admin
Affects Versions: configadmin-1.0.10
Reporter: Felix Meschberger
Fix For: configadmin-1.0.12
When the FilePersistenceManager is trying to access the configuration files it
currently does this in the security context of the calling bundle. If the
calling bundle does not have file access permissions, this access fails
(unexpectedly).
The fix is to ensure running in doPrivileged using the configuration admin
bundle's security context to access the files.
More informations from the original reporter:
There seems no test of that SecurityException is thrown because
a configuring bundle CB does not have appropriate Permission to call
ConfigurationAdmin#getConfiguration(pid,location).
# In testGetConfigurationWithLocation(), CB can get a Configuration
# objects because it has AllPermission.
As far as I see, felix cm impl has a bug if the Java Runtime supports
security. In my test, the following Exception is thrown. (
Currently, the CB fails to get a Configuration. The reason is CB has no
permission to access a file FilePersistenceManager handles.
"doPriviledge" in seems required to avoid it.
----
locations[0]=C:\ws\OSGiSVN\cnf\repo\osgi.cmpn\osgi.cmpn-4.2.1.jar
(java.security.AllPermission)
locations[1]=targetB1.jar
(java.security.AllPermission)
locations[2]=C:\ws\OSGiSVN\licensed\repo\org.apache.felix.configadmin\org.apache.felix.configadmin-1.0.10.jar
(java.security.AllPermission)
locations[3]=C:\ws\OSGiSVN\org.osgi.test.cases.cm.ext\generated\org.osgi.test.cases.cm.ext.jar
(java.security.AllPermission)
locations[4]=setAllPermission.jar
(java.security.AllPermission)
locations[5]=configuringB1.jar
(org.osgi.framework.PackagePermission "org.osgi.service.cm"
"IMPORT")
(org.osgi.framework.ServicePermission
"org.osgi.service.cm.ConfigurationAdmin" "GET")
(org.osgi.framework.PackagePermission
"org.osgi.test.cases.cm.ext.util" "IMPORT")
(org.osgi.framework.ServicePermission
"org.osgi.test.cases.cm.ext.util.ResultKeeper" "REGISTER")
(org.osgi.framework.PackagePermission "org.osgi.framework"
"IMPORT")
(org.osgi.service.cm.ConfigurationPermission "*" "CONFIGURE")
locations[6]=System Bundle
(java.security.AllPermission)
default permission=
(java.util.PropertyPermission "java.home" "read")
org.osgi.framework.BundleException: Exception in
org.osgi.test.cases.cm.ext.configuringB1.ConfiguringActivator.start() of bundle
org.osgi.test.cases.cm.ext.configuringB1.
at
org.eclipse.osgi.framework.internal.core.BundleContextImpl.startActivator(BundleContextImpl.java:805)
at
org.eclipse.osgi.framework.internal.core.BundleContextImpl.start(BundleContextImpl.java:754)
at
org.eclipse.osgi.framework.internal.core.BundleHost.startWorker(BundleHost.java:352)
at
org.eclipse.osgi.framework.internal.core.AbstractBundle.start(AbstractBundle.java:280)
at
org.eclipse.osgi.framework.internal.core.AbstractBundle.start(AbstractBundle.java:272)
at
org.osgi.test.cases.cm.ext.tbc.CmExtTestControl.startBundleAndCheckSecurityException(CmExtTestControl.java:2120)
at
org.osgi.test.cases.cm.ext.tbc.CmExtTestControl.testGetConfigurationWithLocation1_1_1(CmExtTestControl.java:227)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at junit.framework.TestCase.runTest(TestCase.java:164)
at junit.framework.TestCase.runBare(TestCase.java:130)
at junit.framework.TestResult$1.protect(TestResult.java:106)
at junit.framework.TestResult.runProtected(TestResult.java:124)
at junit.framework.TestResult.run(TestResult.java:109)
at junit.framework.TestCase.run(TestCase.java:120)
at junit.framework.TestSuite.runTest(TestSuite.java:230)
at junit.framework.TestSuite.run(TestSuite.java:225)
at junit.framework.TestSuite.runTest(TestSuite.java:230)
at junit.framework.TestSuite.run(TestSuite.java:225)
at aQute.junit.runtime.Target.doTesting(Target.java:158)
at aQute.junit.runtime.Target.run(Target.java:42)
at aQute.junit.runtime.Target.main(Target.java:33)
Caused by: java.security.AccessControlException: access denied
(java.io.FilePermission C:\ws\OSGiSVN\org.osgi.test.cases.cm.ext\generat
ed\fwtmp\org.eclipse.osgi\bundles\1\data\config\cm\ext\pid1.config read)
at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:269)
at
org.eclipse.osgi.internal.permadmin.EquinoxSecurityManager.internalCheckPermission(EquinoxSecurityManager.java:117)
at
org.eclipse.osgi.internal.permadmin.EquinoxSecurityManager$CheckPermissionAction.run(EquinoxSecurityManager.java:60)
at java.security.AccessController.doPrivileged(Native Method)
at
org.eclipse.osgi.internal.permadmin.EquinoxSecurityManager.checkPermission(EquinoxSecurityManager.java:88)
at
org.eclipse.osgi.internal.permadmin.EquinoxSecurityManager.checkPermission(EquinoxSecurityManager.java:187)
at java.lang.SecurityManager.checkRead(SecurityManager.java:863)
at java.io.File.isFile(File.java:723)
at
org.apache.felix.cm.file.FilePersistenceManager.exists(FilePersistenceManager.java:388)
at
org.apache.felix.cm.impl.ConfigurationManager.getExistingConfiguration(ConfigurationManager.java:375)
at
org.apache.felix.cm.impl.ConfigurationManager.getConfiguration(ConfigurationManager.java:391)
at
org.apache.felix.cm.impl.ConfigurationAdminImpl.getConfiguration(ConfigurationAdminImpl.java:116)
at
org.osgi.test.cases.cm.ext.configuringB1.ConfiguringActivator.start(ConfiguringActivator.java:25)
at
org.eclipse.osgi.framework.internal.core.BundleContextImpl$1.run(BundleContextImpl.java:782)
at java.security.AccessController.doPrivileged(Native Method)
at
org.eclipse.osgi.framework.internal.core.BundleContextImpl.startActivator(BundleContextImpl.java:773)
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
