You are viewing a plain text version of this content. The canonical link for it is here.
Posted to derby-commits@db.apache.org by km...@apache.org on 2013/04/09 03:41:04 UTC
svn commit: r1465857 - in /db/derby/code/branches/10.8.3.1_testcompat: ./
java/testing/org/apache/derbyTesting/functionTests/tests/derbynet/
java/testing/org/apache/derbyTesting/functionTests/tests/jdbc4/
java/testing/org/apache/derbyTesting/functionTe...
Author: kmarsden
Date: Tue Apr 9 01:41:03 2013
New Revision: 1465857
URL: http://svn.apache.org/r1465857
Log:
DERBY-5363 Tighten permission on db files to owner
Update policy files to add RuntimePermission "accessUserInformation"
and read permission on trace files. Partial merge on revision 1180713
Modified:
db/derby/code/branches/10.8.3.1_testcompat/ (props changed)
db/derby/code/branches/10.8.3.1_testcompat/java/testing/org/apache/derbyTesting/functionTests/tests/derbynet/GetCurrentPropertiesTest.policy
db/derby/code/branches/10.8.3.1_testcompat/java/testing/org/apache/derbyTesting/functionTests/tests/derbynet/NetworkServerControlApiTest.policy
db/derby/code/branches/10.8.3.1_testcompat/java/testing/org/apache/derbyTesting/functionTests/tests/derbynet/RuntimeInfoTest.policy
db/derby/code/branches/10.8.3.1_testcompat/java/testing/org/apache/derbyTesting/functionTests/tests/derbynet/ServerPropertiesTest.policy
db/derby/code/branches/10.8.3.1_testcompat/java/testing/org/apache/derbyTesting/functionTests/tests/jdbc4/noAbortPermission.policy
db/derby/code/branches/10.8.3.1_testcompat/java/testing/org/apache/derbyTesting/functionTests/tests/lang/SecurityPolicyReloadingTest.initial.policy
db/derby/code/branches/10.8.3.1_testcompat/java/testing/org/apache/derbyTesting/functionTests/tests/lang/SecurityPolicyReloadingTest.modified.policy
db/derby/code/branches/10.8.3.1_testcompat/java/testing/org/apache/derbyTesting/functionTests/util/derby_tests.policy
db/derby/code/branches/10.8.3.1_testcompat/java/testing/org/apache/derbyTesting/junit/TestConfiguration.java
Propchange: db/derby/code/branches/10.8.3.1_testcompat/
------------------------------------------------------------------------------
Merged /db/derby/code/trunk:r1176591
Modified: db/derby/code/branches/10.8.3.1_testcompat/java/testing/org/apache/derbyTesting/functionTests/tests/derbynet/GetCurrentPropertiesTest.policy
URL: http://svn.apache.org/viewvc/db/derby/code/branches/10.8.3.1_testcompat/java/testing/org/apache/derbyTesting/functionTests/tests/derbynet/GetCurrentPropertiesTest.policy?rev=1465857&r1=1465856&r2=1465857&view=diff
==============================================================================
--- db/derby/code/branches/10.8.3.1_testcompat/java/testing/org/apache/derbyTesting/functionTests/tests/derbynet/GetCurrentPropertiesTest.policy (original)
+++ db/derby/code/branches/10.8.3.1_testcompat/java/testing/org/apache/derbyTesting/functionTests/tests/derbynet/GetCurrentPropertiesTest.policy Tue Apr 9 01:41:03 2013
@@ -88,6 +88,8 @@ grant codeBase "${derbyTesting.codejar}d
// might not be unregistered from the MBean server. See DERBY-3561.
permission javax.management.MBeanPermission "org.apache.derby.*#[org.apache.derby:*]","unregisterMBean";
+ // Needed by FileUtil#limitAccessToOwner
+ permission java.lang.RuntimePermission "accessUserInformation";
};
//
@@ -108,6 +110,10 @@ grant codeBase "${derbyTesting.codejar}d
// For testPropertiesAfterConnection and testPropertiesTraceOn
permission java.io.FilePermission "${derby.system.home}${/}-", "write";
+ // Set be able to restrict visibility on trace files
+ permission java.io.FilePermission "${user.dir}${/}system${/}-", "read";
+ // Needed by FileUtil#limitAccessToOwner
+ permission java.lang.RuntimePermission "accessUserInformation";
};
//
@@ -223,6 +229,10 @@ grant codeBase "${derbyTesting.codeclass
// streams. Currently the nist suite runs with useprocess=false.
permission java.lang.RuntimePermission "setSecurityManager";
permission java.lang.RuntimePermission "setIO";
+
+ // Needed by FileUtil#limitAccessToOwner
+ permission java.lang.RuntimePermission "accessUserInformation";
+
};
// JUnit jar file tries to read junit.properties in the user's
Modified: db/derby/code/branches/10.8.3.1_testcompat/java/testing/org/apache/derbyTesting/functionTests/tests/derbynet/NetworkServerControlApiTest.policy
URL: http://svn.apache.org/viewvc/db/derby/code/branches/10.8.3.1_testcompat/java/testing/org/apache/derbyTesting/functionTests/tests/derbynet/NetworkServerControlApiTest.policy?rev=1465857&r1=1465856&r2=1465857&view=diff
==============================================================================
--- db/derby/code/branches/10.8.3.1_testcompat/java/testing/org/apache/derbyTesting/functionTests/tests/derbynet/NetworkServerControlApiTest.policy (original)
+++ db/derby/code/branches/10.8.3.1_testcompat/java/testing/org/apache/derbyTesting/functionTests/tests/derbynet/NetworkServerControlApiTest.policy Tue Apr 9 01:41:03 2013
@@ -83,6 +83,9 @@ grant codeBase "${derbyTesting.codejar}d
permission java.security.SecurityPermission "insertProvider.SunJCE";
permission java.security.SecurityPermission "insertProvider.IBMJCE";
+
+ // Needed by FileUtil#limitAccessToOwner
+ permission java.lang.RuntimePermission "accessUserInformation";
};
//
@@ -99,8 +102,12 @@ grant codeBase "${derbyTesting.codejar}d
permission java.net.SocketPermission "localhost", "accept,connect";
permission java.net.SocketPermission "${derbyTesting.clienthost}", "accept,connect";
permission java.net.SocketPermission "${derbyTesting.serverhost}", "accept,connect";
+
//tracing testing. NetworkServerControlApiTest
- permission java.io.FilePermission "${derby.system.home}${/}-", "write";
+ permission java.io.FilePermission "${derby.system.home}${/}-", "read,write";
+ permission java.io.FilePermission "${user.dir}${/}system${/}", "read,write";
+ // Needed by FileUtil#limitAccessToOwner
+ permission java.lang.RuntimePermission "accessUserInformation";
};
//
@@ -210,6 +217,9 @@ grant codeBase "${derbyTesting.codeclass
// streams. Currently the nist suite runs with useprocess=false.
permission java.lang.RuntimePermission "setSecurityManager";
permission java.lang.RuntimePermission "setIO";
+
+ // Needed by FileUtil#limitAccessToOwner
+ permission java.lang.RuntimePermission "accessUserInformation";
};
// JUnit jar file tries to read junit.properties in the user's
Modified: db/derby/code/branches/10.8.3.1_testcompat/java/testing/org/apache/derbyTesting/functionTests/tests/derbynet/RuntimeInfoTest.policy
URL: http://svn.apache.org/viewvc/db/derby/code/branches/10.8.3.1_testcompat/java/testing/org/apache/derbyTesting/functionTests/tests/derbynet/RuntimeInfoTest.policy?rev=1465857&r1=1465856&r2=1465857&view=diff
==============================================================================
--- db/derby/code/branches/10.8.3.1_testcompat/java/testing/org/apache/derbyTesting/functionTests/tests/derbynet/RuntimeInfoTest.policy (original)
+++ db/derby/code/branches/10.8.3.1_testcompat/java/testing/org/apache/derbyTesting/functionTests/tests/derbynet/RuntimeInfoTest.policy Tue Apr 9 01:41:03 2013
@@ -133,6 +133,9 @@ permission java.util.PropertyPermission
// traces upon failure.
permission java.lang.RuntimePermission "getStackTrace";
permission java.lang.RuntimePermission "modifyThreadGroup";
+
+ // Needed by FileUtil#limitAccessToOwner
+ permission java.lang.RuntimePermission "accessUserInformation";
};
//
@@ -322,6 +325,9 @@ grant codeBase "${derbyTesting.codeclass
permission org.apache.derby.security.SystemPermission "jmx", "control";
permission org.apache.derby.security.SystemPermission "engine", "monitor";
permission org.apache.derby.security.SystemPermission "server", "control,monitor";
+
+ // Needed by FileUtil#limitAccessToOwner
+ permission java.lang.RuntimePermission "accessUserInformation";
};
// JUnit jar file tries to read junit.properties in the user's
Modified: db/derby/code/branches/10.8.3.1_testcompat/java/testing/org/apache/derbyTesting/functionTests/tests/derbynet/ServerPropertiesTest.policy
URL: http://svn.apache.org/viewvc/db/derby/code/branches/10.8.3.1_testcompat/java/testing/org/apache/derbyTesting/functionTests/tests/derbynet/ServerPropertiesTest.policy?rev=1465857&r1=1465856&r2=1465857&view=diff
==============================================================================
--- db/derby/code/branches/10.8.3.1_testcompat/java/testing/org/apache/derbyTesting/functionTests/tests/derbynet/ServerPropertiesTest.policy (original)
+++ db/derby/code/branches/10.8.3.1_testcompat/java/testing/org/apache/derbyTesting/functionTests/tests/derbynet/ServerPropertiesTest.policy Tue Apr 9 01:41:03 2013
@@ -88,6 +88,8 @@ grant codeBase "${derbyTesting.codejar}d
// might not be unregistered from the MBean server. See DERBY-3561.
permission javax.management.MBeanPermission "org.apache.derby.*#[org.apache.derby:*]","unregisterMBean";
+ // Needed by FileUtil#limitAccessToOwner
+ permission java.lang.RuntimePermission "accessUserInformation";
};
//
@@ -107,6 +109,11 @@ grant codeBase "${derbyTesting.codejar}d
// for testToggleTrace:
permission java.io.FilePermission "${derby.system.home}${/}-", "write";
+
+ // Set be able to restrict visibility on trace files
+ permission java.io.FilePermission "${user.dir}${/}system${/}-", "read";
+ // Needed by FileUtil#limitAccessToOwner
+ permission java.lang.RuntimePermission "accessUserInformation";
};
//
@@ -227,6 +234,9 @@ grant codeBase "${derbyTesting.codeclass
// may be testing JMX functionality. Without this permission, old MBeans
// might not be unregistered from the MBean server. See DERBY-3561.
permission javax.management.MBeanPermission "org.apache.derby.*#[org.apache.derby:*]","unregisterMBean";
+
+ // Needed by FileUtil#limitAccessToOwner
+ permission java.lang.RuntimePermission "accessUserInformation";
};
// JUnit jar file tries to read junit.properties in the user's
Modified: db/derby/code/branches/10.8.3.1_testcompat/java/testing/org/apache/derbyTesting/functionTests/tests/jdbc4/noAbortPermission.policy
URL: http://svn.apache.org/viewvc/db/derby/code/branches/10.8.3.1_testcompat/java/testing/org/apache/derbyTesting/functionTests/tests/jdbc4/noAbortPermission.policy?rev=1465857&r1=1465856&r2=1465857&view=diff
==============================================================================
--- db/derby/code/branches/10.8.3.1_testcompat/java/testing/org/apache/derbyTesting/functionTests/tests/jdbc4/noAbortPermission.policy (original)
+++ db/derby/code/branches/10.8.3.1_testcompat/java/testing/org/apache/derbyTesting/functionTests/tests/jdbc4/noAbortPermission.policy Tue Apr 9 01:41:03 2013
@@ -117,6 +117,9 @@ grant codeBase "${derbyTesting.codejar}d
// This permission is needed to call the Connection.abort(Executor) method added by JDBC 4.1
permission java.sql.SQLPermission "callAbort";
+
+ // Needed by FileUtil#limitAccessToOwner
+ permission java.lang.RuntimePermission "accessUserInformation";
};
//
@@ -318,6 +321,9 @@ grant codeBase "${derbyTesting.codeclass
permission org.apache.derby.security.SystemPermission "jmx", "control";
permission org.apache.derby.security.SystemPermission "engine", "monitor";
permission org.apache.derby.security.SystemPermission "server", "control,monitor";
+
+ // Needed by FileUtil#limitAccessToOwner
+ permission java.lang.RuntimePermission "accessUserInformation";
};
// JUnit jar file tries to read junit.properties in the user's
Modified: db/derby/code/branches/10.8.3.1_testcompat/java/testing/org/apache/derbyTesting/functionTests/tests/lang/SecurityPolicyReloadingTest.initial.policy
URL: http://svn.apache.org/viewvc/db/derby/code/branches/10.8.3.1_testcompat/java/testing/org/apache/derbyTesting/functionTests/tests/lang/SecurityPolicyReloadingTest.initial.policy?rev=1465857&r1=1465856&r2=1465857&view=diff
==============================================================================
--- db/derby/code/branches/10.8.3.1_testcompat/java/testing/org/apache/derbyTesting/functionTests/tests/lang/SecurityPolicyReloadingTest.initial.policy (original)
+++ db/derby/code/branches/10.8.3.1_testcompat/java/testing/org/apache/derbyTesting/functionTests/tests/lang/SecurityPolicyReloadingTest.initial.policy Tue Apr 9 01:41:03 2013
@@ -49,6 +49,8 @@ grant codeBase "${derbyTesting.codejar}d
// You may want to restrict this access to specific directories.
//
permission java.io.FilePermission "<<ALL FILES>>", "read,write,delete";
+ // Needed by FileUtil#limitAccessToOwner
+ permission java.lang.RuntimePermission "accessUserInformation";
};
grant codeBase "${derbyTesting.codejar}derbynet.jar"
Modified: db/derby/code/branches/10.8.3.1_testcompat/java/testing/org/apache/derbyTesting/functionTests/tests/lang/SecurityPolicyReloadingTest.modified.policy
URL: http://svn.apache.org/viewvc/db/derby/code/branches/10.8.3.1_testcompat/java/testing/org/apache/derbyTesting/functionTests/tests/lang/SecurityPolicyReloadingTest.modified.policy?rev=1465857&r1=1465856&r2=1465857&view=diff
==============================================================================
--- db/derby/code/branches/10.8.3.1_testcompat/java/testing/org/apache/derbyTesting/functionTests/tests/lang/SecurityPolicyReloadingTest.modified.policy (original)
+++ db/derby/code/branches/10.8.3.1_testcompat/java/testing/org/apache/derbyTesting/functionTests/tests/lang/SecurityPolicyReloadingTest.modified.policy Tue Apr 9 01:41:03 2013
@@ -49,6 +49,8 @@ grant codeBase "${derbyTesting.codejar}d
// You may want to restrict this access to specific directories.
//
permission java.io.FilePermission "<<ALL FILES>>", "read,write,delete";
+ // Needed by FileUtil#limitAccessToOwner
+ permission java.lang.RuntimePermission "accessUserInformation";
};
grant codeBase "${derbyTesting.codejar}derbynet.jar"
Modified: db/derby/code/branches/10.8.3.1_testcompat/java/testing/org/apache/derbyTesting/functionTests/util/derby_tests.policy
URL: http://svn.apache.org/viewvc/db/derby/code/branches/10.8.3.1_testcompat/java/testing/org/apache/derbyTesting/functionTests/util/derby_tests.policy?rev=1465857&r1=1465856&r2=1465857&view=diff
==============================================================================
--- db/derby/code/branches/10.8.3.1_testcompat/java/testing/org/apache/derbyTesting/functionTests/util/derby_tests.policy (original)
+++ db/derby/code/branches/10.8.3.1_testcompat/java/testing/org/apache/derbyTesting/functionTests/util/derby_tests.policy Tue Apr 9 01:41:03 2013
@@ -134,6 +134,9 @@ grant codeBase "${derbyTesting.codejar}d
permission java.lang.RuntimePermission "getStackTrace";
permission java.lang.RuntimePermission "modifyThreadGroup";
+ // Needed by FileUtil#limitAccessToOwner
+ permission java.lang.RuntimePermission "accessUserInformation";
+
// This permission is needed to call the Connection.abort(Executor) method added by JDBC 4.1
permission java.sql.SQLPermission "callAbort";
};
@@ -145,6 +148,7 @@ grant codeBase "${derbyTesting.codejar}d
permission java.util.PropertyPermission "java.class.path", "read";//sysinfo
permission java.util.PropertyPermission "java.runtime.version", "read";//sysinfo
permission java.util.PropertyPermission "java.fullversion", "read";//sysinfo
+ permission java.util.PropertyPermission "derby.__serverStartedFromCmdLine", "write";
// accept is needed for the server accepting connections
// connect is needed for ping command (which is in the server jar)
@@ -153,11 +157,21 @@ grant codeBase "${derbyTesting.codejar}d
permission java.net.SocketPermission "${derbyTesting.clienthost}", "accept,connect";
permission java.net.SocketPermission "${derbyTesting.serverhost}", "accept,connect";
// Need to be able to write to trace file for NetworkServerControlApiTest
- permission java.io.FilePermission "${user.dir}${/}system${/}trace", "write";
- permission java.io.FilePermission "${user.dir}${/}system${/}trace${/}-", "write";
+ permission java.io.FilePermission "${user.dir}${/}system${/}trace", "read,write";
+ permission java.io.FilePermission "${user.dir}${/}system${/}trace${/}-", "read,write";
+
+ // Need read/write to trace file for RestrictiveFilePermissionsTest
+ permission java.io.FilePermission "${user.dir}${/}system${/}RFPT_db_tracefiles_restr", "read,write";
+ permission java.io.FilePermission "${user.dir}${/}system${/}RFPT_db_tracefiles_lax", "read,write";
+ permission java.io.FilePermission "${user.dir}${/}system${/}RFPT_db_tracefiles_restr${/}-", "read,write";
+ permission java.io.FilePermission "${user.dir}${/}system${/}RFPT_db_tracefiles_lax${/}-", "read,write";
+
// Needed for NetworkServerMBean access (see JMX section above)
permission org.apache.derby.security.SystemPermission "server", "control,monitor";
-
+
+ // For NetworkServerControlApiTest:
+ // Needed by FileUtil#limitAccessToOwner
+ permission java.lang.RuntimePermission "accessUserInformation";
};
//
@@ -263,6 +277,9 @@ grant codeBase "${derbyTesting.testjar}d
// These permissions are needed when testing code instrumented with EMMA.
permission java.lang.RuntimePermission "${emma.active}writeFileDescriptor";
+
+ // Needed by FileUtil#limitAccessToOwner
+ permission java.lang.RuntimePermission "accessUserInformation";
};
//
@@ -335,6 +352,10 @@ grant codeBase "${derbyTesting.codeclass
permission org.apache.derby.security.SystemPermission "jmx", "control";
permission org.apache.derby.security.SystemPermission "engine", "monitor";
permission org.apache.derby.security.SystemPermission "server", "control,monitor";
+
+ // Needed by FileUtil#limitAccessToOwner
+ permission java.lang.RuntimePermission "accessUserInformation";
+
};
// JUnit jar file tries to read junit.properties in the user's
Modified: db/derby/code/branches/10.8.3.1_testcompat/java/testing/org/apache/derbyTesting/junit/TestConfiguration.java
URL: http://svn.apache.org/viewvc/db/derby/code/branches/10.8.3.1_testcompat/java/testing/org/apache/derbyTesting/junit/TestConfiguration.java?rev=1465857&r1=1465856&r2=1465857&view=diff
==============================================================================
--- db/derby/code/branches/10.8.3.1_testcompat/java/testing/org/apache/derbyTesting/junit/TestConfiguration.java (original)
+++ db/derby/code/branches/10.8.3.1_testcompat/java/testing/org/apache/derbyTesting/junit/TestConfiguration.java Tue Apr 9 01:41:03 2013
@@ -710,7 +710,7 @@ public final class TestConfiguration {
* name. This decorator expects the database file to be local so it can be
* removed.
* @param test Test to be decorated
- * @param dbName We sometimes need to know outside to be able topass it on
+ * @param dbName We sometimes need to know outside to be able to pass it on
* to other VMs/processes.
* @return decorated test.
*/