You are viewing a plain text version of this content. The canonical link for it is here.
Posted to derby-dev@db.apache.org by "Myrna van Lunteren (JIRA)" <de...@db.apache.org> on 2006/03/10 03:06:41 UTC
[jira] Commented: (DERBY-622) sysinfo incorrectly requires
permission on Derby jar files
[ http://issues.apache.org/jira/browse/DERBY-622?page=comments#action_12369771 ]
Myrna van Lunteren commented on DERBY-622:
------------------------------------------
Without the step 1 patch, and without the lines currently in the derby_tests.policy file for derbynet.jar and derby.jar:
permission java.io.FilePermission "${derbyTesting.codedir}${/}*", "read";
the test will fail with output like this in the .tmp:
- - - - - - - - - - - - - - - - - - - - - - - - -
------------------ Java Information ------------------
Java Version: 1.4.2_07
Java Vendor: Sun Microsystems Inc.
Java home: Security Exception: java.security.AccessControlException: access denied (java.util.PropertyPermission java.home read)
Java classpath: Security Exception: java.security.AccessControlException: access denied (java.util.PropertyPermission java.class.path read)
OS name: Windows 2000
OS architecture: x86
OS version: 5.0
Java user name: Security Exception: java.security.AccessControlException: access denied (java.util.PropertyPermission user.name read)
Java user home: C:\Documents and Settings\Administrator
Java user dir: Security Exception: java.security.AccessControlException: access denied (java.util.PropertyPermission user.dir read)
java.specification.name: Java Platform API Specification
java.specification.version: 1.4
--------- Derby Information --------
JRE - JDBC: J2SE 1.4.2 - JDBC 3.0
No Derby System info found!
------------------------------------------------------
----------------- Locale Information -----------------
------------------------------------------------------
End test
Testing Sysinfo (method)
- - - - - - - - - - - -
Note that the sed-processing removes the Java info section.
With the patch, we see this:
- - - - - - - - - - - -
------------------ Java Information ------------------
Java Version: 1.4.2_07
Java Vendor: Sun Microsystems Inc.
Java home: Security Exception: java.security.AccessControlException: access denied (java.util.PropertyPermission java.home read)
Java classpath: Security Exception: java.security.AccessControlException: access denied (java.util.PropertyPermission java.class.path read)
OS name: Windows 2000
OS architecture: x86
OS version: 5.0
Java user name: Security Exception: java.security.AccessControlException: access denied (java.util.PropertyPermission user.name read)
Java user home: C:\Documents and Settings\Administrator
Java user dir: Security Exception: java.security.AccessControlException: access denied (java.util.PropertyPermission user.dir read)
java.specification.name: Java Platform API Specification
java.specification.version: 1.4
--------- Derby Information --------
JRE - JDBC: J2SE 1.4.2 - JDBC 3.0
[/org/apache/derby/info/DBMS.properties] 10.2.0.0 alpha - (384366M)
------------------------------------------------------
----------------- Locale Information -----------------
------------------------------------------------------
End test
Testing Sysinfo (method)
- - - - - - - - -
So, not much of an improvement...
(Note, by the way, also, that in the mean time we ought to have another line in the derby_tests.policy file for the case that derbytools.jar is the first in the classpath - I guess everyone always puts derby.jar first...)
> sysinfo incorrectly requires permission on Derby jar files
> ----------------------------------------------------------
>
> Key: DERBY-622
> URL: http://issues.apache.org/jira/browse/DERBY-622
> Project: Derby
> Type: Bug
> Components: Security, Tools
> Versions: 10.2.0.0
> Reporter: Daniel John Debrunner
> Priority: Minor
> Fix For: 10.2.0.0
> Attachments: DERBY-622_step1.diff
>
> Running the test derbynet/sysinfo.java requires this permission in derby_tests.policy, in order to read the jar files.
> permission java.io.FilePermission "${csinfo.codedir}${/}*", "read"
> But according to the Java security specs:
> 'Note: code can always read a file from the same directory it's in (or a subdirectory of that directory); it does not need explicit permission to do so.'
> Probably means a privileged block is required when accessing the contents of the jar files in sysinfo
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
Re: [jira] Commented: (DERBY-622) sysinfo incorrectly requires permission
on Derby jar files
Posted by Bryan Pendleton <bp...@amberpoint.com>.
Myrna van Lunteren wrote:
> Now I looked at the patch for DERBY-668, and I don't see that it
> addresses DERBY-622 at all...
I think my comment was overly alarming; sorry about that!
What I meant to say was that I have also been working on changing the
way that sysinfo behaves when it is run with a SecurityManager.
Specifically, I am working on the part of sysinfo which analyzes the
classpath, and there are security manager issues involving:
- is sysinfo allowed to read the java.class.path property
- is sysinfo allowed to call getProtectionDomain for a class
So I've added some new PrivilegedAction code, and I've added some
new code which catches SecurityException and prints messages trying
to help the user understand the security restrictions they're hitting,
and so forth.
I agree with you that the issues being addressed are independent, and
our two patches don't have to interact at all.
I just wanted to alert you to the fact that we both seemed to be working
in the general area of "sysinfo and SecurityManagers".
thanks,
bryan
P.S. Updated patch for DERBY-668 should arrive this weekend, with changes
incorporating Andrew's feedback (Thanks Andrew!)
Re: [jira] Commented: (DERBY-622) sysinfo incorrectly requires permission on Derby jar files
Posted by Myrna van Lunteren <m....@gmail.com>.
Now I looked at the patch for DERBY-668, and I don't see that it addresses
DERBY-622 at all...
I think my little patch - although not any great shakes, is still for the
intended bug an improvement in that you see at least the info of the
.properties files of the .jar file in which it sits...without granting any
additional accesses in the (derby_tests).policy file.
It doesn't totally address the 622 bug because the test will still fail if
you take out the // .... 622 lines in the derby_tests.policy file (so my
patch doesn't do that).
I don't think the two patches really interfere, although I can imagine an
automated merge to get confused...So whomever gets to take the merge needs
to be careful...
Or you can pick this bug up and figure out what I did wrong. :-)
I had one tiny question prompted your changes for DERBY-668 - you modified
the method tryAsResource - I didn't bother with it because eclipse thought
it wasn't used and it's not a public method...Should I have changed it?
Myrna
On 3/9/06, Myrna van Lunteren <m....@gmail.com> wrote:
>
> Hi Bryan,
>
> I admit I didn't look at your patch for DERBY-668, as I was under the
> impression you were looking into the permissions for properties...
>
> I'll try to have a look at your patch...
> However, note that I did not assign the issue to myself, because there
> are some other matters I want to focus on...
> :-)
>
> Myrna
>
>
> On 3/9/06, Bryan Pendleton <bp...@amberpoint.com> wrote:
> >
> > Myrna van Lunteren (JIRA) wrote:
> > > [
> > http://issues.apache.org/jira/browse/DERBY-622?page=comments#action_12369771]
> >
> > Myrna, I think that you and I have been working on a closely
> > related problem. You might want to have a close look at the various
> > comments in DERBY-668, because we've been discussing a number of
> > sysinfo permissions problems in the comments on that JIRA issue.
> >
> > Probably you and I should compare notes so that I don't accidentally
> > interfere with the work you're doing on this issue (I confess that
> > I wasn't paying enough attention to DERBY-622 until recently).
> >
> > In the meantime, I'll have a closer look at your work on DERBY-622 and
> > consider how it interacts with my DERBY-668 efforts.
> >
> > thanks,
> >
> > bryan
> >
> >
> >
>
Re: [jira] Commented: (DERBY-622) sysinfo incorrectly requires permission on Derby jar files
Posted by Myrna van Lunteren <m....@gmail.com>.
Hi Bryan,
I admit I didn't look at your patch for DERBY-668, as I was under the
impression you were looking into the permissions for properties...
I'll try to have a look at your patch...
However, note that I did not assign the issue to myself, because there
are some other matters I want to focus on...
:-)
Myrna
On 3/9/06, Bryan Pendleton <bp...@amberpoint.com> wrote:
>
> Myrna van Lunteren (JIRA) wrote:
> > [
> http://issues.apache.org/jira/browse/DERBY-622?page=comments#action_12369771]
>
> Myrna, I think that you and I have been working on a closely
> related problem. You might want to have a close look at the various
> comments in DERBY-668, because we've been discussing a number of
> sysinfo permissions problems in the comments on that JIRA issue.
>
> Probably you and I should compare notes so that I don't accidentally
> interfere with the work you're doing on this issue (I confess that
> I wasn't paying enough attention to DERBY-622 until recently).
>
> In the meantime, I'll have a closer look at your work on DERBY-622 and
> consider how it interacts with my DERBY-668 efforts.
>
> thanks,
>
> bryan
>
>
>
Re: [jira] Commented: (DERBY-622) sysinfo incorrectly requires permission
on Derby jar files
Posted by Bryan Pendleton <bp...@amberpoint.com>.
Myrna van Lunteren (JIRA) wrote:
> [ http://issues.apache.org/jira/browse/DERBY-622?page=comments#action_12369771 ]
Myrna, I think that you and I have been working on a closely
related problem. You might want to have a close look at the various
comments in DERBY-668, because we've been discussing a number of
sysinfo permissions problems in the comments on that JIRA issue.
Probably you and I should compare notes so that I don't accidentally
interfere with the work you're doing on this issue (I confess that
I wasn't paying enough attention to DERBY-622 until recently).
In the meantime, I'll have a closer look at your work on DERBY-622 and
consider how it interacts with my DERBY-668 efforts.
thanks,
bryan