Derby
  1. Derby
  2. DERBY-2908

10.3.1.0 / 1.1.0 Derby eclipse plugin gives security error referring to user.dir read permission because derby.system.home is set to '.'

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 10.3.1.4, 10.4.1.3
    • Fix Version/s: 10.3.1.4
    • Component/s: Eclipse Plug-in
    • Labels:
      None
    • Environment:
      eclipse 3.2.1 with derby 10.3.1.0 core plugin, ui and doc plugin 1.1.0.
    • Urgency:
      Normal
    • Issue & fix info:
      Release Note Needed
    • Bug behavior facts:
      Regression

      Description

      The Derby nature sets by default -Dderby.system.home=. (set in plugins/eclipse/org.apache.derby.ui/src/org/apache/derby/ui/properties/DerbyProperties.java and checked in plugins/eclipse/org.apache.derby.ui/src/org/apache/derby/uitl/DerbyServerUtils.java)
      With the default security policy, however, such a setting for ij & NetworkServerControl results in a security error in ij.
      (See stack in thread: http://www.nabble.com/10.3.1.0b-eclipse-plugin---default-security-tf4030218.html)

      It's possible this is a bug in itself...
      One work around is to add the following permission to the default policy file:
      permission java.util.PropertyPermission "user.dir", "read";

      Another solution is to not set the derby.system.home to anything by default, and if it's not set to anything, not pass on -Dderby.system.home= to the networkserver process (specifying -Dderby.system.home= without a value fails to start networkserver).
      This would mean increasing the version of the plugins. To 1.1.1?

      Yet another thing would be to adjust the plugin to handle adjusting the security policy...

      1. derby_ecplipse_plugins_1.1.1_2908.zip
        857 kB
        Myrna van Lunteren
      2. DERBY-2908_plugin111.diff
        4 kB
        Myrna van Lunteren
      3. DERBY-2908_plugin111.stat
        2 kB
        Myrna van Lunteren
      4. derby-2908-patchDefaultPolicy-01.diff
        1 kB
        Rick Hillegas

        Issue Links

          Activity

          Myrna van Lunteren created issue -
          Hide
          Rick Hillegas added a comment -

          Attaching derby-2908-patchDefaultPolicy-01.diff. This adds permission to read the user.dir property to the server and template policies.

          I think that this is a reasonable, defensive move. Although the default behavior is to set derby.system.home to user.dir, nothing prevents the user from explicitly stating that they want this default behavior. It's a minority but not unreasonable usage.

          I am running regression tests just to be safe. If the tests pass, I'm inclined to commit this patch unless someone objects.

          Show
          Rick Hillegas added a comment - Attaching derby-2908-patchDefaultPolicy-01.diff. This adds permission to read the user.dir property to the server and template policies. I think that this is a reasonable, defensive move. Although the default behavior is to set derby.system.home to user.dir, nothing prevents the user from explicitly stating that they want this default behavior. It's a minority but not unreasonable usage. I am running regression tests just to be safe. If the tests pass, I'm inclined to commit this patch unless someone objects.
          Rick Hillegas made changes -
          Field Original Value New Value
          Attachment derby-2908-patchDefaultPolicy-01.diff [ 12361303 ]
          Hide
          Daniel John Debrunner added a comment -

          I'd always assumed that derby.system.home had to be an absolute path, but I see there's nothing in the documentation that states that.

          Note that '.' (dot) has no meaning in Java, thus the eclipse plugin should not be using

          -Dderby.system.home=.

          as it's technically non-portable, though likely to work on most operating systems that Derby will run on.

          Show
          Daniel John Debrunner added a comment - I'd always assumed that derby.system.home had to be an absolute path, but I see there's nothing in the documentation that states that. Note that '.' (dot) has no meaning in Java, thus the eclipse plugin should not be using -Dderby.system.home=. as it's technically non-portable, though likely to work on most operating systems that Derby will run on.
          Hide
          Andrew McIntyre added a comment -

          I think it is probably the dot that causes java.io.Win32FileSystem to access the property user.dir in order to get the canonical filename. The security exception is then thrown since the Derby code further up the stack does not have permission to read user.dir. I'd have to look at the code for java.io.Win32FileSystem, but I don't have that handy right now.

          Clearly some other code path is taken when the dot is not present, since this works normally outside of eclipse (no security exception with no derby.system.home set). If I have some time later to day, I will try removing the default setting of the dot and build the plugin to see if that solves the problem.

          Show
          Andrew McIntyre added a comment - I think it is probably the dot that causes java.io.Win32FileSystem to access the property user.dir in order to get the canonical filename. The security exception is then thrown since the Derby code further up the stack does not have permission to read user.dir. I'd have to look at the code for java.io.Win32FileSystem, but I don't have that handy right now. Clearly some other code path is taken when the dot is not present, since this works normally outside of eclipse (no security exception with no derby.system.home set). If I have some time later to day, I will try removing the default setting of the dot and build the plugin to see if that solves the problem.
          Hide
          Rick Hillegas added a comment -

          Committed derby-2908-patchDefaultPolicy-01.diff to trunk at subversion revision 553949. Ported to 10.3 branch at revision 553952.

          Show
          Rick Hillegas added a comment - Committed derby-2908-patchDefaultPolicy-01.diff to trunk at subversion revision 553949. Ported to 10.3 branch at revision 553952.
          Hide
          Myrna van Lunteren added a comment -

          Attaching a patch which modifies the plugin to use 'null' by default for derby.system.home. I put some extra if (<derby.system.home> != null) although I'm not sure that was even necessary.
          Also modified the doc to reflect a change in the default value.
          Increased the plugin versions to 1.1.1. for this.

          If this looks ok, and someone checks tonight (California time) then I wonder if I should undo Rick's changes to the default policy file & documentation,...?

          Show
          Myrna van Lunteren added a comment - Attaching a patch which modifies the plugin to use 'null' by default for derby.system.home. I put some extra if (<derby.system.home> != null) although I'm not sure that was even necessary. Also modified the doc to reflect a change in the default value. Increased the plugin versions to 1.1.1. for this. If this looks ok, and someone checks tonight (California time) then I wonder if I should undo Rick's changes to the default policy file & documentation,...?
          Myrna van Lunteren made changes -
          Attachment DERBY-2908_plugin111.diff [ 12361365 ]
          Attachment DERBY-2908_plugin111.stat [ 12361364 ]
          Hide
          Myrna van Lunteren added a comment -

          forgot to mention, I generated the patch on the 10.3 branch. But I don't think that matters at this point.

          Show
          Myrna van Lunteren added a comment - forgot to mention, I generated the patch on the 10.3 branch. But I don't think that matters at this point.
          Myrna van Lunteren made changes -
          Attachment DERBY-2908_plugin111.diff [ 12361365 ]
          Myrna van Lunteren made changes -
          Attachment DERBY-2908_plugin111.stat [ 12361364 ]
          Hide
          Myrna van Lunteren added a comment -

          forgot to update the screen shot, removed older file.

          Show
          Myrna van Lunteren added a comment - forgot to update the screen shot, removed older file.
          Myrna van Lunteren made changes -
          Attachment DERBY-2908_plugin111.stat [ 12361366 ]
          Attachment DERBY-2908_plugin111.diff [ 12361367 ]
          Hide
          Myrna van Lunteren added a comment -

          attaching zip file for generated 1.1.1 plugins.

          Show
          Myrna van Lunteren added a comment - attaching zip file for generated 1.1.1 plugins.
          Myrna van Lunteren made changes -
          Attachment derby_ecplipse_plugins_1.1.1_2908.zip [ 12361368 ]
          Hide
          Myrna van Lunteren added a comment -

          After some more thinking, I realized that even though the solution to modify the plugins is valid, we cannot do away with the user.dir read permissions...The change of the default would only affect new projects; existing projects (that did not have the default modified, which I would think are most) will still have the ',' as derby.system.home, thus causing the security error without the user.dir read permission.

          So, we'll live with the work-around of keeping the user.dir read permission in the default policy, and we can implement the change to the plugin e.g. in version 10.4...
          At that time, it would probably be a good idea to add functionality to the plugin to enable editing the default policy.

          I'll log a new bug, and closing this one as fixed (and roll it into the release notes).

          Show
          Myrna van Lunteren added a comment - After some more thinking, I realized that even though the solution to modify the plugins is valid, we cannot do away with the user.dir read permissions...The change of the default would only affect new projects; existing projects (that did not have the default modified, which I would think are most) will still have the ',' as derby.system.home, thus causing the security error without the user.dir read permission. So, we'll live with the work-around of keeping the user.dir read permission in the default policy, and we can implement the change to the plugin e.g. in version 10.4... At that time, it would probably be a good idea to add functionality to the plugin to enable editing the default policy. I'll log a new bug, and closing this one as fixed (and roll it into the release notes).
          Myrna van Lunteren made changes -
          Link This issue relates to DERBY-2913 [ DERBY-2913 ]
          Myrna van Lunteren made changes -
          Fix Version/s 10.3.1.1 [ 12312542 ]
          Derby Info [Regression, Existing Application Impact] [Existing Application Impact, Regression]
          Resolution Fixed [ 1 ]
          Status Open [ 1 ] Resolved [ 5 ]
          Assignee Rick Hillegas [ rhillegas ]
          Myrna van Lunteren made changes -
          Status Resolved [ 5 ] Closed [ 6 ]
          Dag H. Wanvik made changes -
          Bug behavior facts [Regression]
          Dag H. Wanvik made changes -
          Issue & fix info [Existing Application Impact] [Release Note Needed]
          Gavin made changes -
          Workflow jira [ 12407760 ] Default workflow, editable Closed status [ 12797363 ]

            People

            • Assignee:
              Rick Hillegas
              Reporter:
              Myrna van Lunteren
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development