Details

    • Type: Improvement Improvement
    • Status: Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: 10.3.1.4
    • Fix Version/s: None
    • Component/s: Network Server, Services
    • Labels:
      None
    • Bug behavior facts:
      Security

      Description

      Add mechanisms for controlling system-level privileges in Derby. See the related email discussion at http://article.gmane.org/gmane.comp.apache.db.derby.devel/33151.

      The 10.2 GRANT/REVOKE work was a big step forward in making Derby more secure in a client/server configuration. I'd like to plug more client/server security holes in 10.3. In particular, I'd like to focus on authorization issues which the ANSI spec doesn't address.

      Here are the important issues which came out of the email discussion.

      Missing privileges that are above the level of a single database:

      • Create Database
      • Shutdown all databases
      • Shutdown System

      Missing privileges specific to a particular database:

      • Shutdown that Database
      • Encrypt that database
      • Upgrade database
      • Create (in that Database) Java Plugins (currently Functions/Procedures, but someday Aggregates and VTIs)

      Note that 10.2 gave us GRANT/REVOKE control over the following database-specific issues, via granting execute privilege to system procedures:

      Jar Handling
      Backup Routines
      Admin Routines
      Import/Export
      Property Handling
      Check Table

      In addition, since 10.0, the privilege of connecting to a database has been controlled by two properties (derby.database.fullAccessUsers and derby.database.defaultConnectionMode) as described in the security section of the Developer's Guide (see http://db.apache.org/derby/docs/10.2/devguide/cdevcsecure865818.html).

      1. DERBY-2109-12.diff
        123 kB
        Martin Zaun
      2. DERBY-2109-12.stat
        2 kB
        Martin Zaun
      3. DERBY-2109-11.diff
        118 kB
        Martin Zaun
      4. DERBY-2109-11.stat
        2 kB
        Martin Zaun
      5. DERBY-2109-10.diff
        109 kB
        Martin Zaun
      6. DERBY-2109-10.stat
        2 kB
        Martin Zaun
      7. DERBY-2109-09.diff
        104 kB
        Martin Zaun
      8. DERBY-2109-09.stat
        2 kB
        Martin Zaun
      9. SystemPrivilegesBehaviour.html
        16 kB
        Martin Zaun
      10. DERBY-2109-08_addendum.diff
        5 kB
        Martin Zaun
      11. DERBY-2109-08_addendum.stat
        0.3 kB
        Martin Zaun
      12. DERBY-2109-08.diff
        83 kB
        Martin Zaun
      13. DERBY-2109-08.stat
        2 kB
        Martin Zaun
      14. DERBY-2109-07.diff
        80 kB
        Martin Zaun
      15. DERBY-2109-07.stat
        1 kB
        Martin Zaun
      16. DERBY-2109-05and06.diff
        42 kB
        Martin Zaun
      17. DERBY-2109-05and06.stat
        0.9 kB
        Martin Zaun
      18. DERBY-2109-04.diff
        11 kB
        Martin Zaun
      19. DERBY-2109-04.stat
        0.3 kB
        Martin Zaun
      20. DERBY-2109-02.diff
        57 kB
        Martin Zaun
      21. DERBY-2109-02.stat
        0.7 kB
        Martin Zaun
      22. derby-2109-03-javadoc-see-tags.diff
        4 kB
        Kristian Waagan
      23. systemPrivs.html
        61 kB
        Rick Hillegas
      24. systemPrivs.html
        59 kB
        Rick Hillegas
      25. systemPrivs.html
        56 kB
        Rick Hillegas
      26. systemPrivs.html
        32 kB
        Rick Hillegas

        Issue Links

          Activity

          Gavin made changes -
          Workflow jira [ 12390149 ] Default workflow, editable Closed status [ 12796869 ]
          Rick Hillegas made changes -
          Link This issue is related to DERBY-5548 [ DERBY-5548 ]
          Dag H. Wanvik made changes -
          Issue Type New Feature [ 2 ] Improvement [ 4 ]
          Dag H. Wanvik made changes -
          Component/s Network Server [ 11410 ]
          Component/s Services [ 11415 ]
          Dag H. Wanvik made changes -
          Component/s Security [ 11411 ]
          Dag H. Wanvik made changes -
          Derby Categories [Security]
          Ole Solberg made changes -
          Link This issue relates to DERBY-3644 [ DERBY-3644 ]
          John H. Embretsen made changes -
          Link This issue is related to DERBY-3614 [ DERBY-3614 ]
          Kathey Marsden made changes -
          Link This issue relates to DERBY-3535 [ DERBY-3535 ]
          Daniel John Debrunner made changes -
          Link This issue is related to DERBY-3532 [ DERBY-3532 ]
          Rick Hillegas made changes -
          Link This issue incorporates DERBY-3495 [ DERBY-3495 ]
          Martin Zaun made changes -
          Assignee Martin Zaun [ mzaun ]
          Daniel John Debrunner made changes -
          Link This issue is related to DERBY-3491 [ DERBY-3491 ]
          Martin Zaun made changes -
          Attachment DERBY-2109-12.diff [ 12376783 ]
          Attachment DERBY-2109-12.stat [ 12376782 ]
          Martin Zaun made changes -
          Attachment DERBY-2109-11.stat [ 12376698 ]
          Attachment DERBY-2109-11.diff [ 12376699 ]
          Martin Zaun made changes -
          Attachment DERBY-2109-10.diff [ 12376650 ]
          Attachment DERBY-2109-10.stat [ 12376649 ]
          Martin Zaun made changes -
          Attachment DERBY-2109-09.stat [ 12374962 ]
          Attachment DERBY-2109-09.diff [ 12374963 ]
          Martin Zaun made changes -
          Attachment SystemPrivilegesBehaviour.html [ 12372914 ]
          Martin Zaun made changes -
          Attachment SystemPrivilegesBehaviour.html [ 12373208 ]
          Martin Zaun made changes -
          Attachment DERBY-2109-08_addendum.stat [ 12373005 ]
          Attachment DERBY-2109-08_addendum.diff [ 12373006 ]
          Martin Zaun made changes -
          Attachment SystemPrivilegesTestCases.html [ 12367069 ]
          Martin Zaun made changes -
          Attachment DERBY-2109-08.diff [ 12372913 ]
          Attachment DERBY-2109-08.stat [ 12372912 ]
          Attachment SystemPrivilegesBehaviour.html [ 12372914 ]
          Martin Zaun made changes -
          Attachment DERBY-2109-07.diff [ 12371132 ]
          Attachment DERBY-2109-07.stat [ 12371131 ]
          Martin Zaun made changes -
          Attachment DERBY-2109-07.stat [ 12371129 ]
          Martin Zaun made changes -
          Attachment DERBY-2109-07.diff [ 12371130 ]
          Martin Zaun made changes -
          Attachment DERBY-2109-07.diff [ 12371130 ]
          Attachment DERBY-2109-07.stat [ 12371129 ]
          Martin Zaun made changes -
          Attachment DERBY-2109-06.stat [ 12367072 ]
          Martin Zaun made changes -
          Attachment DERBY-2109-06.diff [ 12367073 ]
          Martin Zaun made changes -
          Attachment DERBY-2109-05.stat [ 12367070 ]
          Martin Zaun made changes -
          Attachment DERBY-2109-05.diff [ 12367071 ]
          Martin Zaun made changes -
          Attachment DERBY-2109-05and06.stat [ 12367171 ]
          Attachment DERBY-2109-05and06.diff [ 12367172 ]
          Rick Hillegas made changes -
          Link This issue is blocked by DERBY-1387 [ DERBY-1387 ]
          Martin Zaun made changes -
          Attachment DERBY-2109-06.diff [ 12367073 ]
          Attachment DERBY-2109-06.stat [ 12367072 ]
          Martin Zaun made changes -
          Attachment DERBY-2109-05.stat [ 12367070 ]
          Attachment SystemPrivilegesTestCases.html [ 12367069 ]
          Attachment DERBY-2109-05.diff [ 12367071 ]
          Martin Zaun made changes -
          Attachment DERBY-2109-04.stat [ 12359520 ]
          Attachment DERBY-2109-04.diff [ 12359521 ]
          Martin Zaun made changes -
          Attachment DERBY-2109-04.stat [ 12359511 ]
          Martin Zaun made changes -
          Attachment DERBY-2109-04.diff [ 12359512 ]
          Martin Zaun made changes -
          Attachment DERBY-2109-02.diff [ 12359514 ]
          Attachment DERBY-2109-02.stat [ 12359513 ]
          Martin Zaun made changes -
          Attachment DERBY-2109-02.stat [ 12358985 ]
          Martin Zaun made changes -
          Attachment DERBY-2109-02.diff [ 12358986 ]
          Martin Zaun made changes -
          Attachment DERBY-2109-04.diff [ 12359512 ]
          Attachment DERBY-2109-04.stat [ 12359511 ]
          Kristian Waagan made changes -
          Attachment derby-2109-03-javadoc-see-tags.diff [ 12359282 ]
          Martin Zaun made changes -
          Derby Info [Patch Available]
          Martin Zaun made changes -
          Assignee Martin Zaun [ mzaun ]
          Myrna van Lunteren made changes -
          Derby Info [Patch Available]
          Martin Zaun made changes -
          Attachment DERBY-2109-02.stat [ 12358985 ]
          Attachment DERBY-2109-02.diff [ 12358986 ]
          Rick Hillegas made changes -
          Attachment systemPrivs.html [ 12354506 ]
          Dag H. Wanvik made changes -
          Link This issue relates to DERBY-2470 [ DERBY-2470 ]
          Rick Hillegas made changes -
          Link This issue incorporates DERBY-2466 [ DERBY-2466 ]
          Rick Hillegas made changes -
          Attachment systemPrivs.html [ 12349693 ]
          Andrew McIntyre made changes -
          Fix Version/s 10.3.0.0 [ 12310800 ]
          Rick Hillegas made changes -
          Link This issue relates to DERBY-2264 [ DERBY-2264 ]
          Rick Hillegas made changes -
          Attachment systemPrivs.html [ 12348599 ]
          Rick Hillegas made changes -
          Attachment systemPrivs.html [ 12346941 ]
          Rick Hillegas made changes -
          Description Add mechanisms for controlling system-level privileges in Derby. See the related email discussion at http://article.gmane.org/gmane.comp.apache.db.derby.devel/33151.

          The 10.2 GRANT/REVOKE work was a big step forward in making Derby more secure in a client/server configuration. I'd like to plug more client/server security holes in 10.3. In particular, I'd like to focus on authorization issues which the ANSI spec doesn't address.

          Here are the important issues which came out of the email discussion.

          Missing privileges that are above the level of a single database:

          - Create Database
          - Boot all databases
          - Shutdown all databases
          - Shutdown System

          Missing privileges specific to a particular database:

          - Shutdown that Database
          - Encrypt that database
          - Upgrade database
          - Create (in that Database) Java Plugins (currently Functions/Procedures, but someday Aggregates and VTIs)

          Note that 10.2 gave us GRANT/REVOKE control over the following database-specific issues, via granting execute privilege to system procedures:

          Jar Handling
          Backup Routines
          Admin Routines
          Import/Export
          Property Handling
          Check Table

          In addition, since 10.0, the privilege of connecting to a database has been controlled by two properties (derby.database.fullAccessUsers and derby.database.defaultConnectionMode) as described in the security section of the Developer's Guide (see http://db.apache.org/derby/docs/10.2/devguide/cdevcsecure865818.html).
          Add mechanisms for controlling system-level privileges in Derby. See the related email discussion at http://article.gmane.org/gmane.comp.apache.db.derby.devel/33151.

          The 10.2 GRANT/REVOKE work was a big step forward in making Derby more secure in a client/server configuration. I'd like to plug more client/server security holes in 10.3. In particular, I'd like to focus on authorization issues which the ANSI spec doesn't address.

          Here are the important issues which came out of the email discussion.

          Missing privileges that are above the level of a single database:

          - Create Database
          - Shutdown all databases
          - Shutdown System

          Missing privileges specific to a particular database:

          - Shutdown that Database
          - Encrypt that database
          - Upgrade database
          - Create (in that Database) Java Plugins (currently Functions/Procedures, but someday Aggregates and VTIs)

          Note that 10.2 gave us GRANT/REVOKE control over the following database-specific issues, via granting execute privilege to system procedures:

          Jar Handling
          Backup Routines
          Admin Routines
          Import/Export
          Property Handling
          Check Table

          In addition, since 10.0, the privilege of connecting to a database has been controlled by two properties (derby.database.fullAccessUsers and derby.database.defaultConnectionMode) as described in the security section of the Developer's Guide (see http://db.apache.org/derby/docs/10.2/devguide/cdevcsecure865818.html).
          Rick Hillegas made changes -
          Description Add mechanisms for controlling system-level privileges in Derby. See the related email discussion at http://article.gmane.org/gmane.comp.apache.db.derby.devel/33151.

          The 10.2 GRANT/REVOKE work was a big step forward in making Derby more secure in a client/server configuration. I'd like to plug more client/server security holes in 10.3. In particular, I'd like to focus on authorization issues which the ANSI spec doesn't address.

          Here are the important issues which came out of the email discussion.

          Missing privileges that are above the level of a single database:

          - Create Database
          - Boot all databases
          - Shutdown all databases
          - Shutdown System

          Missing privileges specific to a particular database:

          - Shutdown that Database
          - Encrypt that database
          - Create (in that Database) Java Plugins (currently Functions/Procedures, but someday Aggregates and VTIs)

          Note that 10.2 gave us GRANT/REVOKE control over the following database-specific issues, via granting execute privilege to system procedures:

          Jar Handling
          Backup Routines
          Admin Routines
          Import/Export
          Property Handling
          Check Table

          In addition, since 10.0, the privilege of connecting to a database has been controlled by two properties (derby.database.fullAccessUsers and derby.database.defaultConnectionMode) as described in the security section of the Developer's Guide (see http://db.apache.org/derby/docs/10.2/devguide/cdevcsecure865818.html).
          Add mechanisms for controlling system-level privileges in Derby. See the related email discussion at http://article.gmane.org/gmane.comp.apache.db.derby.devel/33151.

          The 10.2 GRANT/REVOKE work was a big step forward in making Derby more secure in a client/server configuration. I'd like to plug more client/server security holes in 10.3. In particular, I'd like to focus on authorization issues which the ANSI spec doesn't address.

          Here are the important issues which came out of the email discussion.

          Missing privileges that are above the level of a single database:

          - Create Database
          - Boot all databases
          - Shutdown all databases
          - Shutdown System

          Missing privileges specific to a particular database:

          - Shutdown that Database
          - Encrypt that database
          - Upgrade database
          - Create (in that Database) Java Plugins (currently Functions/Procedures, but someday Aggregates and VTIs)

          Note that 10.2 gave us GRANT/REVOKE control over the following database-specific issues, via granting execute privilege to system procedures:

          Jar Handling
          Backup Routines
          Admin Routines
          Import/Export
          Property Handling
          Check Table

          In addition, since 10.0, the privilege of connecting to a database has been controlled by two properties (derby.database.fullAccessUsers and derby.database.defaultConnectionMode) as described in the security section of the Developer's Guide (see http://db.apache.org/derby/docs/10.2/devguide/cdevcsecure865818.html).
          Rick Hillegas made changes -
          Field Original Value New Value
          Description Add mechanisms for controlling system-level privileges in Derby. See the related email discussion at http://article.gmane.org/gmane.comp.apache.db.derby.devel/33151.

          The 10.2 GRANT/REVOKE work was a big step forward in making Derby more secure in a client/server configuration. I'd like to plug more client/server security holes in 10.3. In particular, I'd like to focus on authorization issues which the ANSI spec doesn't address.

          Here are the important issues which came out of the email discussion.

          Missing privileges that are above the level of a single database:

          - Create Database
          - Shutdown all databases
          - Shutdown System

          Missing privileges specific to a particular database:

          - Shutdown that Database
          - Encrypt that database
          - Create (in that Database) Java Plugins (currently Functions/Procedures, but someday Aggregates and VTIs)

          Note that 10.2 gave us GRANT/REVOKE control over the following database-specific issues, via granting execute privilege to system procedures:

          Jar Handling
          Backup Routines
          Admin Routines
          Import/Export
          Property Handling
          Check Table

          In addition, since 10.0, the privilege of connecting to a database has been controlled by two properties (derby.database.fullAccessUsers and derby.database.defaultConnectionMode) as described in the security section of the Developer's Guide (see http://db.apache.org/derby/docs/10.2/devguide/cdevcsecure865818.html).
          Add mechanisms for controlling system-level privileges in Derby. See the related email discussion at http://article.gmane.org/gmane.comp.apache.db.derby.devel/33151.

          The 10.2 GRANT/REVOKE work was a big step forward in making Derby more secure in a client/server configuration. I'd like to plug more client/server security holes in 10.3. In particular, I'd like to focus on authorization issues which the ANSI spec doesn't address.

          Here are the important issues which came out of the email discussion.

          Missing privileges that are above the level of a single database:

          - Create Database
          - Boot all databases
          - Shutdown all databases
          - Shutdown System

          Missing privileges specific to a particular database:

          - Shutdown that Database
          - Encrypt that database
          - Create (in that Database) Java Plugins (currently Functions/Procedures, but someday Aggregates and VTIs)

          Note that 10.2 gave us GRANT/REVOKE control over the following database-specific issues, via granting execute privilege to system procedures:

          Jar Handling
          Backup Routines
          Admin Routines
          Import/Export
          Property Handling
          Check Table

          In addition, since 10.0, the privilege of connecting to a database has been controlled by two properties (derby.database.fullAccessUsers and derby.database.defaultConnectionMode) as described in the security section of the Developer's Guide (see http://db.apache.org/derby/docs/10.2/devguide/cdevcsecure865818.html).
          Rick Hillegas created issue -

            People

            • Assignee:
              Unassigned
              Reporter:
              Rick Hillegas
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:

                Development