Security Problem: Getting full file access within the cache directory from one
Bundle
-------------------------------------------------------------------------------------
Key: FELIX-3196
URL: https://issues.apache.org/jira/browse/FELIX-3196
Project: Felix
Issue Type: Bug
Components: Framework Security
Affects Versions: framework.security-2.0.0
Environment: felix-framework-4.0.1
Reporter: Michael Grammling
It seems that there is a security problem in the "Framework Security" module of
Felix.
I have full access to the bundle cache directory from each bundle.
Expectation: I should only get full access to the data storage of the bundle
itself.
Actually I was able to create files from Bundle 25 inside the data storage of
Bundle 0.
I even could delete the whole directory of Bundle 0.
I checked the same with Knopflerfish which does this check correctly.
Do I have to set more configuration parameters?
The OSGi specification defines that the framework should grant access to the
bundle's data storage.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
