You are viewing a plain text version of this content. The canonical link for it is here.
Posted to derby-dev@db.apache.org by Daniel John Debrunner <dj...@apache.org> on 2006/11/28 20:07:08 UTC
Java routine security Was Re: plugging more security holes in Derby
Rick Hillegas wrote:
> Daniel John Debrunner wrote:
>> Rick Hillegas wrote:
>>> - Create (in that Database) Java Plugins (currently
>>> Functions/Procedures, but someday Aggregates and VTIs)
>>
>> Can you explain what this means, what security issue are you trying to
>> address?
> I'm concerned about being able to exploit security holes in code not
> supplied by Derby or the application. For instance, security holes in
> the jdk classes or in other applications hosted on the same vm.
This is actually due to an extension to the SQL standard (part 13) that
Derby and other databases provide. The ability to have the EXTERNAL NAME
for a Java routine to be a method in a class without specifying an
installed jar file name. The security model provided by SQL part 13 does
provide security by only allowing routines to resolve to a specific
installed jar file and providing the USAGE privilege on installed jar files.
Derby follows a different path, basically adding an installed jar file
to derby.database.classpath implicitly grants USAGE on that jar to
PUBLIC. The ability to perform this implicit grant is, as you say,
itself under GRANT/REVOKE because one must have EXECUTE permission on
the procedure to set the database property. Then in addition the class
in external name in Derby need not come from a jar file, but can be
resolved from the vm's classpath.
So one part of the solution would be to enhance Derby to support
installed jar names in EXTERNAL NAME and to implement the USAGE
privilege, following the SQL standard (part 13).
Then to address the resolution of routines that do not specify an
installed jar name in EXTERNAL NAME Derby could change from an implictly
adding the current classpath to the database classpath to a model where
it must explictily be added. Maybe fixed tokens like:
JRE - routines can resolve to any classes that start with
java. and javax.
CLASSPATH - routines can resolve to any classes that are on the vm's
classpath
E.g.
derby.database.classpath=<unset>
- No resolution of any routines that do not specify a jar file.
derby.database.classpath=SALES.SALES_FORCAST
- Only resolve methods from SALES.SALES_FORCAST
derby.database.classpath=JRE:SALES.SALES_FORCAST
- Only resolve methods from the JRE's java. and javax. classes and
classes in SALES.SALES_FORCAST
derby.database.classpath=CLASSPATH:SALES.SALES_FORCAST
- Only resolve methods from the current classpath, excluding java.
and javax classes, and those from SALES.SALES_FORCAST
derby.database.classpath=JRE:CLASSPATH:SALES.SALES_FORCAST
- Resolve methods as 10.2.
Dan.