You are viewing a plain text version of this content. The canonical link for it is here.
Posted to derby-commits@db.apache.org by da...@apache.org on 2011/10/09 22:47:36 UTC
svn commit: r1180713 - in /db/derby/code/trunk/java:
drda/org/apache/derby/drda/ engine/org/apache/derby/iapi/services/io/
testing/org/apache/derbyTesting/functionTests/tests/derbynet/
testing/org/apache/derbyTesting/functionTests/tests/engine/ testing...
Author: dag
Date: Sun Oct 9 20:47:36 2011
New Revision: 1180713
URL: http://svn.apache.org/viewvc?rev=1180713&view=rev
Log:
DERBY-5363 Tighten permissions of DB files to owner with >= JDK7
Patch derby-5363-followup-unix.
It turns out there is no guarantee the the underlying file system
supports ACLs even though Files#getFileAttributeView called with
aclFileAttributeViewClz.class as an argument returns an object. We
also need to call the method:
FileStore#supportsFileAttributeView(AclFileAttributeView.class)
to ascertain whether we have support for ACLs. To get at the current
FileStore, we need to inquire about that given a path:
Files.getFileStore(<path>)
which requires the RuntimePermission "getFileStoreAttributes", hence
the current patch's changes to the policy files.
With the patch, RestrictiveFilePermissionsTest run OK on Solaris/UFS.
Modified:
db/derby/code/trunk/java/drda/org/apache/derby/drda/server.policy
db/derby/code/trunk/java/drda/org/apache/derby/drda/template.policy
db/derby/code/trunk/java/engine/org/apache/derby/iapi/services/io/FileUtil.java
db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/derbynet/GetCurrentPropertiesTest.policy
db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/derbynet/NetworkServerControlApiTest.policy
db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/derbynet/RuntimeInfoTest.policy
db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/derbynet/ServerPropertiesTest.policy
db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/engine/RestrictiveFilePermissionsTest.java
db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/jdbc4/noAbortPermission.policy
db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/SecurityPolicyReloadingTest.initial.policy
db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/SecurityPolicyReloadingTest.modified.policy
db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/util/derby_tests.policy
Modified: db/derby/code/trunk/java/drda/org/apache/derby/drda/server.policy
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/drda/org/apache/derby/drda/server.policy?rev=1180713&r1=1180712&r2=1180713&view=diff
==============================================================================
--- db/derby/code/trunk/java/drda/org/apache/derby/drda/server.policy (original)
+++ db/derby/code/trunk/java/drda/org/apache/derby/drda/server.policy Sun Oct 9 20:47:36 2011
@@ -101,6 +101,7 @@ grant codeBase "${derby.install.url}derb
// Needed by FileUtil#limitAccessToOwner
permission java.lang.RuntimePermission "accessUserInformation";
+ permission java.lang.RuntimePermission "getFileStoreAttributes";
};
grant codeBase "${derby.install.url}derbynet.jar"
@@ -125,6 +126,7 @@ grant codeBase "${derby.install.url}derb
permission java.io.FilePermission "${derby.drda.traceDirectory}${/}-", "read,write,delete";
// Needed by FileUtil#limitAccessToOwner
permission java.lang.RuntimePermission "accessUserInformation";
+ permission java.lang.RuntimePermission "getFileStoreAttributes";
// Needed for NetworkServerMBean access (see JMX section above)
permission org.apache.derby.security.SystemPermission "server", "control,monitor";
Modified: db/derby/code/trunk/java/drda/org/apache/derby/drda/template.policy
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/drda/org/apache/derby/drda/template.policy?rev=1180713&r1=1180712&r2=1180713&view=diff
==============================================================================
--- db/derby/code/trunk/java/drda/org/apache/derby/drda/template.policy (original)
+++ db/derby/code/trunk/java/drda/org/apache/derby/drda/template.policy Sun Oct 9 20:47:36 2011
@@ -88,6 +88,7 @@ grant codeBase "${derby.install.url}derb
// Needed by file permissions restriction system:
permission java.lang.RuntimePermission "accessUserInformation";
+ permission java.lang.RuntimePermission "getFileStoreAttributes";
};
grant codeBase "${derby.install.url}derbynet.jar"
@@ -112,6 +113,7 @@ grant codeBase "${derby.install.url}derb
permission java.io.FilePermission "${derby.drda.traceDirectory}${/}-", "read,write,delete";
// Needed by file permissions restriction system:
permission java.lang.RuntimePermission "accessUserInformation";
+ permission java.lang.RuntimePermission "getFileStoreAttributes";
permission java.util.PropertyPermission "derby.__serverStartedFromCmdLine", "read, write";
//
Modified: db/derby/code/trunk/java/engine/org/apache/derby/iapi/services/io/FileUtil.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/engine/org/apache/derby/iapi/services/io/FileUtil.java?rev=1180713&r1=1180712&r2=1180713&view=diff
==============================================================================
--- db/derby/code/trunk/java/engine/org/apache/derby/iapi/services/io/FileUtil.java (original)
+++ db/derby/code/trunk/java/engine/org/apache/derby/iapi/services/io/FileUtil.java Sun Oct 9 20:47:36 2011
@@ -611,9 +611,12 @@ nextFile: for (int i = 0; i < list.lengt
private static Class stringArrayClz;
private static Class aclEntryBuilderClz;
private static Class aclEntryTypeClz;
+ private static Class fileStoreClz;
private static Method get;
private static Method getFileAttributeView;
+ private static Method supportsFileAttributeView;
+ private static Method getFileStore;
private static Method getOwner;
private static Method getAcl;
private static Method setAcl;
@@ -712,17 +715,19 @@ nextFile: for (int i = 0; i < list.lengt
"java.nio.file.attribute.AclEntry$Builder");
aclEntryTypeClz = Class.forName(
"java.nio.file.attribute.AclEntryType");
-
- get = pathsClz.
- getMethod("get",
- new Class[]{String.class, stringArrayClz});
-
- getFileAttributeView = filesClz.
- getMethod("getFileAttributeView",
- new Class[]{pathClz,
- Class.class,
- linkOptionArrayClz});
-
+ fileStoreClz = Class.forName(
+ "java.nio.file.FileStore");
+ get = pathsClz.getMethod(
+ "get",
+ new Class[]{String.class, stringArrayClz});
+ getFileAttributeView = filesClz.getMethod(
+ "getFileAttributeView",
+ new Class[]{pathClz, Class.class, linkOptionArrayClz});
+ supportsFileAttributeView = fileStoreClz.getMethod(
+ "supportsFileAttributeView",
+ new Class[]{Class.class});
+ getFileStore = filesClz.getMethod("getFileStore",
+ new Class[]{pathClz});
getOwner = filesClz.
getMethod("getOwner",
new Class[]{pathClz, linkOptionArrayClz});
@@ -747,6 +752,7 @@ nextFile: for (int i = 0; i < list.lengt
allow = aclEntryTypeClz.getField("ALLOW");
} catch (NoSuchMethodException e) {
+ e.printStackTrace();
// not Java 7 or higher
} catch (ClassNotFoundException e) {
// not Java 7 or higher
@@ -869,6 +875,22 @@ nextFile: for (int i = 0; i < list.lengt
Object fileP = get.invoke(
null, new Object[]{file.getPath(), new String[]{}});
+ // ACLs supported on this platform, now check the current file
+ // system:
+ Object fileStore = getFileStore.invoke(
+ null,
+ new Object[]{fileP});
+
+ boolean supported =
+ ((Boolean)supportsFileAttributeView.invoke(
+ fileStore,
+ new Object[]{aclFileAttributeViewClz})).booleanValue();
+
+ if (!supported) {
+ return false;
+ }
+
+
// AclFileAttributeView view =
// Files.getFileAttributeView(fileP,
// AclFileAttributeView.class);
@@ -879,10 +901,10 @@ nextFile: for (int i = 0; i < list.lengt
Array.newInstance(linkOptionClz, 0)});
if (view == null) {
- // ACLs not supported on this platform
return false;
}
+
// If we have a posix view, we can use ACLs to interface
// the usual Unix permission masks vi the special principals
// OWNER@, GROUP@ and EVERYONE@
Modified: db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/derbynet/GetCurrentPropertiesTest.policy
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/derbynet/GetCurrentPropertiesTest.policy?rev=1180713&r1=1180712&r2=1180713&view=diff
==============================================================================
--- db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/derbynet/GetCurrentPropertiesTest.policy (original)
+++ db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/derbynet/GetCurrentPropertiesTest.policy Sun Oct 9 20:47:36 2011
@@ -90,6 +90,7 @@ grant codeBase "${derbyTesting.codejar}d
// Needed by FileUtil#limitAccessToOwner
permission java.lang.RuntimePermission "accessUserInformation";
+ permission java.lang.RuntimePermission "getFileStoreAttributes";
};
//
@@ -114,6 +115,7 @@ grant codeBase "${derbyTesting.codejar}d
permission java.io.FilePermission "${user.dir}${/}system${/}-", "read";
// Needed by FileUtil#limitAccessToOwner
permission java.lang.RuntimePermission "accessUserInformation";
+ permission java.lang.RuntimePermission "getFileStoreAttributes";
};
//
@@ -232,6 +234,7 @@ grant codeBase "${derbyTesting.codeclass
// Needed by FileUtil#limitAccessToOwner
permission java.lang.RuntimePermission "accessUserInformation";
+ permission java.lang.RuntimePermission "getFileStoreAttributes";
};
Modified: db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/derbynet/NetworkServerControlApiTest.policy
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/derbynet/NetworkServerControlApiTest.policy?rev=1180713&r1=1180712&r2=1180713&view=diff
==============================================================================
--- db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/derbynet/NetworkServerControlApiTest.policy (original)
+++ db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/derbynet/NetworkServerControlApiTest.policy Sun Oct 9 20:47:36 2011
@@ -86,6 +86,7 @@ grant codeBase "${derbyTesting.codejar}d
// Needed by FileUtil#limitAccessToOwner
permission java.lang.RuntimePermission "accessUserInformation";
+ permission java.lang.RuntimePermission "getFileStoreAttributes";
};
//
@@ -108,6 +109,7 @@ grant codeBase "${derbyTesting.codejar}d
permission java.io.FilePermission "${user.dir}${/}system${/}", "read,write";
// Needed by FileUtil#limitAccessToOwner
permission java.lang.RuntimePermission "accessUserInformation";
+ permission java.lang.RuntimePermission "getFileStoreAttributes";
};
//
@@ -220,6 +222,7 @@ grant codeBase "${derbyTesting.codeclass
// Needed by FileUtil#limitAccessToOwner
permission java.lang.RuntimePermission "accessUserInformation";
+ permission java.lang.RuntimePermission "getFileStoreAttributes";
};
// JUnit jar file tries to read junit.properties in the user's
Modified: db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/derbynet/RuntimeInfoTest.policy
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/derbynet/RuntimeInfoTest.policy?rev=1180713&r1=1180712&r2=1180713&view=diff
==============================================================================
--- db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/derbynet/RuntimeInfoTest.policy (original)
+++ db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/derbynet/RuntimeInfoTest.policy Sun Oct 9 20:47:36 2011
@@ -136,6 +136,7 @@ permission java.util.PropertyPermission
// Needed by FileUtil#limitAccessToOwner
permission java.lang.RuntimePermission "accessUserInformation";
+ permission java.lang.RuntimePermission "getFileStoreAttributes";
};
//
@@ -328,6 +329,7 @@ grant codeBase "${derbyTesting.codeclass
// Needed by FileUtil#limitAccessToOwner
permission java.lang.RuntimePermission "accessUserInformation";
+ permission java.lang.RuntimePermission "getFileStoreAttributes";
};
// JUnit jar file tries to read junit.properties in the user's
Modified: db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/derbynet/ServerPropertiesTest.policy
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/derbynet/ServerPropertiesTest.policy?rev=1180713&r1=1180712&r2=1180713&view=diff
==============================================================================
--- db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/derbynet/ServerPropertiesTest.policy (original)
+++ db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/derbynet/ServerPropertiesTest.policy Sun Oct 9 20:47:36 2011
@@ -90,6 +90,7 @@ grant codeBase "${derbyTesting.codejar}d
// Needed by FileUtil#limitAccessToOwner
permission java.lang.RuntimePermission "accessUserInformation";
+ permission java.lang.RuntimePermission "getFileStoreAttributes";
};
//
@@ -114,6 +115,7 @@ grant codeBase "${derbyTesting.codejar}d
permission java.io.FilePermission "${user.dir}${/}system${/}-", "read";
// Needed by FileUtil#limitAccessToOwner
permission java.lang.RuntimePermission "accessUserInformation";
+ permission java.lang.RuntimePermission "getFileStoreAttributes";
};
//
@@ -237,6 +239,7 @@ grant codeBase "${derbyTesting.codeclass
// Needed by FileUtil#limitAccessToOwner
permission java.lang.RuntimePermission "accessUserInformation";
+ permission java.lang.RuntimePermission "getFileStoreAttributes";
};
// JUnit jar file tries to read junit.properties in the user's
Modified: db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/engine/RestrictiveFilePermissionsTest.java
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/engine/RestrictiveFilePermissionsTest.java?rev=1180713&r1=1180712&r2=1180713&view=diff
==============================================================================
--- db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/engine/RestrictiveFilePermissionsTest.java (original)
+++ db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/engine/RestrictiveFilePermissionsTest.java Sun Oct 9 20:47:36 2011
@@ -510,9 +510,12 @@ public class RestrictiveFilePermissionsT
private static Class stringArrayClz;
private static Class aclEntryBuilderClz;
private static Class aclEntryTypeClz;
+ private static Class fileStoreClz;
private static Method get;
private static Method getFileAttributeView;
+ private static Method supportsFileAttributeView;
+ private static Method getFileStore;
private static Method getOwner;
private static Method getAcl;
private static Method principal;
@@ -628,6 +631,8 @@ public class RestrictiveFilePermissionsT
"java.nio.file.attribute.AclEntry$Builder");
aclEntryTypeClz = Class.forName(
"java.nio.file.attribute.AclEntryType");
+ fileStoreClz = Class.forName(
+ "java.nio.file.FileStore");
get = pathsClz.
getMethod("get",
@@ -639,7 +644,11 @@ public class RestrictiveFilePermissionsT
new Class[]{pathClz,
Class.class,
linkOptionArrayClz});
-
+ supportsFileAttributeView = fileStoreClz.getMethod(
+ "supportsFileAttributeView",
+ new Class[]{Class.class});
+ getFileStore = filesClz.getMethod("getFileStore",
+ new Class[]{pathClz});
getOwner = filesClz.
getMethod(
"getOwner",
@@ -690,6 +699,18 @@ public class RestrictiveFilePermissionsT
null, new Object[]{file.getPath(),
new String[]{}});
+ // ACLs supported on this platform? Check the current
+ // file system:
+ Object fileStore = getFileStore.invoke(
+ null,
+ new Object[]{fileP});
+
+ boolean aclsSupported =
+ ((Boolean)supportsFileAttributeView.invoke(
+ fileStore,
+ new Object[]{aclFileAttributeViewClz})).
+ booleanValue();
+
Object aclView = getFileAttributeView.invoke(
null,
new Object[]{
@@ -704,7 +725,8 @@ public class RestrictiveFilePermissionsT
posixFileAttributeViewClz,
Array.newInstance(linkOptionClz, 0)});
- if (aclView != null) { // Windows, Solaris 11
+ if (aclsSupported && aclView != null) {
+ // Windows, Solaris 11
Object owner = getOwner.invoke(
null,
new Object[]{
Modified: db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/jdbc4/noAbortPermission.policy
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/jdbc4/noAbortPermission.policy?rev=1180713&r1=1180712&r2=1180713&view=diff
==============================================================================
--- db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/jdbc4/noAbortPermission.policy (original)
+++ db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/jdbc4/noAbortPermission.policy Sun Oct 9 20:47:36 2011
@@ -120,6 +120,7 @@ grant codeBase "${derbyTesting.codejar}d
// Needed by FileUtil#limitAccessToOwner
permission java.lang.RuntimePermission "accessUserInformation";
+ permission java.lang.RuntimePermission "getFileStoreAttributes";
};
//
@@ -324,6 +325,7 @@ grant codeBase "${derbyTesting.codeclass
// Needed by FileUtil#limitAccessToOwner
permission java.lang.RuntimePermission "accessUserInformation";
+ permission java.lang.RuntimePermission "getFileStoreAttributes";
};
// JUnit jar file tries to read junit.properties in the user's
Modified: db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/SecurityPolicyReloadingTest.initial.policy
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/SecurityPolicyReloadingTest.initial.policy?rev=1180713&r1=1180712&r2=1180713&view=diff
==============================================================================
--- db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/SecurityPolicyReloadingTest.initial.policy (original)
+++ db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/SecurityPolicyReloadingTest.initial.policy Sun Oct 9 20:47:36 2011
@@ -51,6 +51,7 @@ grant codeBase "${derbyTesting.codejar}d
permission java.io.FilePermission "<<ALL FILES>>", "read,write,delete";
// Needed by FileUtil#limitAccessToOwner
permission java.lang.RuntimePermission "accessUserInformation";
+ permission java.lang.RuntimePermission "getFileStoreAttributes";
};
grant codeBase "${derbyTesting.codejar}derbynet.jar"
Modified: db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/SecurityPolicyReloadingTest.modified.policy
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/SecurityPolicyReloadingTest.modified.policy?rev=1180713&r1=1180712&r2=1180713&view=diff
==============================================================================
--- db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/SecurityPolicyReloadingTest.modified.policy (original)
+++ db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/tests/lang/SecurityPolicyReloadingTest.modified.policy Sun Oct 9 20:47:36 2011
@@ -51,6 +51,7 @@ grant codeBase "${derbyTesting.codejar}d
permission java.io.FilePermission "<<ALL FILES>>", "read,write,delete";
// Needed by FileUtil#limitAccessToOwner
permission java.lang.RuntimePermission "accessUserInformation";
+ permission java.lang.RuntimePermission "getFileStoreAttributes";
};
grant codeBase "${derbyTesting.codejar}derbynet.jar"
Modified: db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/util/derby_tests.policy
URL: http://svn.apache.org/viewvc/db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/util/derby_tests.policy?rev=1180713&r1=1180712&r2=1180713&view=diff
==============================================================================
--- db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/util/derby_tests.policy (original)
+++ db/derby/code/trunk/java/testing/org/apache/derbyTesting/functionTests/util/derby_tests.policy Sun Oct 9 20:47:36 2011
@@ -136,6 +136,7 @@ grant codeBase "${derbyTesting.codejar}d
// Needed by FileUtil#limitAccessToOwner
permission java.lang.RuntimePermission "accessUserInformation";
+ permission java.lang.RuntimePermission "getFileStoreAttributes";
// This permission is needed to call the Connection.abort(Executor) method added by JDBC 4.1
permission java.sql.SQLPermission "callAbort";
@@ -172,6 +173,7 @@ grant codeBase "${derbyTesting.codejar}d
// For NetworkServerControlApiTest:
// Needed by FileUtil#limitAccessToOwner
permission java.lang.RuntimePermission "accessUserInformation";
+ permission java.lang.RuntimePermission "getFileStoreAttributes";
};
//
@@ -284,6 +286,7 @@ grant codeBase "${derbyTesting.testjar}d
// Needed by FileUtil#limitAccessToOwner
permission java.lang.RuntimePermission "accessUserInformation";
+ permission java.lang.RuntimePermission "getFileStoreAttributes";
};
//
@@ -362,6 +365,7 @@ grant codeBase "${derbyTesting.codeclass
// Needed by FileUtil#limitAccessToOwner
permission java.lang.RuntimePermission "accessUserInformation";
+ permission java.lang.RuntimePermission "getFileStoreAttributes";
};