Uploaded image for project: 'Derby'
  1. Derby
  2. DERBY-5363

Tighten permissions of DB files to owner with >= JDK7

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • 10.9.1.0
    • Miscellaneous, Services, Store
    • None
    • Release Note Needed
    • Security

    Description

      Before Java 6, files created by Derby would have the default
      permissions of the operating system context. Under Unix, this would
      depend on the effective umask of the process that started the Java VM.

      In Java 6 and 7, there are methods available that allows tightening up this
      (File.setReadable, setWritable), making it less likely that somebody
      would accidentally run Derby with a too lenient default.

      I suggest we take advantage of this, and let Derby by default (in Java
      6 and higher) limit the visibility to the OS user that starts the VM,
      e.g. on Unix this would be equivalent to running with umask 0077. More
      secure by default is good, I think.

      We could have a flag, e.g. "derby.storage.useDefaultFilePermissions"
      that when set to true, would give the old behavior.

      Attachments

        1. permission-5.diff
          19 kB
          Dag H. Wanvik
        2. permission-5.stat
          1 kB
          Dag H. Wanvik
        3. z.sql
          1 kB
          Richard N. Hillegas
        4. permission-6.diff
          35 kB
          Dag H. Wanvik
        5. permission-6.stat
          2 kB
          Dag H. Wanvik
        6. derby-5363-basic-1.diff
          78 kB
          Dag H. Wanvik
        7. derby-5363-basic-1.stat
          3 kB
          Dag H. Wanvik
        8. property-table.png
          53 kB
          Dag H. Wanvik
        9. derby-5363-basic-2.diff
          70 kB
          Dag H. Wanvik
        10. derby-5363-basic-2.stat
          2 kB
          Dag H. Wanvik
        11. derby-5363-basic-3.diff
          68 kB
          Dag H. Wanvik
        12. derby-5363-basic-3.stat
          2 kB
          Dag H. Wanvik
        13. derby-5363-server-1.diff
          4 kB
          Dag H. Wanvik
        14. derby-5363-full-1.diff
          106 kB
          Dag H. Wanvik
        15. derby-5363-full-1.stat
          3 kB
          Dag H. Wanvik
        16. derby-5363-full-2.diff
          106 kB
          Dag H. Wanvik
        17. derby-5363-full-2.stat
          3 kB
          Dag H. Wanvik
        18. releaseNote.html
          5 kB
          Dag H. Wanvik
        19. releaseNote.html
          5 kB
          Dag H. Wanvik
        20. releaseNote.html
          5 kB
          Richard N. Hillegas
        21. releaseNote.html
          5 kB
          Dag H. Wanvik
        22. derby-5363-full-3.diff
          107 kB
          Dag H. Wanvik
        23. derby-5363-full-3.stat
          3 kB
          Dag H. Wanvik
        24. derby-5363-full-4.diff
          102 kB
          Dag H. Wanvik
        25. derby-5363-full-4.stat
          3 kB
          Dag H. Wanvik
        26. derby-5363-full-5.diff
          101 kB
          Dag H. Wanvik
        27. derby-5363-full-5.stat
          3 kB
          Dag H. Wanvik
        28. derby-5363-followup.diff
          1 kB
          Dag H. Wanvik
        29. derby-5363-limit-to-java7.diff
          2 kB
          Dag H. Wanvik
        30. derby-5363-limit-to-java7.stat
          0.1 kB
          Dag H. Wanvik
        31. releaseNote.html
          5 kB
          Dag H. Wanvik
        32. derby-5363-followup-linux.diff
          18 kB
          Dag H. Wanvik
        33. derby-5363-followup-linux.diff
          25 kB
          Dag H. Wanvik
        34. derby-5363-limit-to-java7b.diff
          2 kB
          Dag H. Wanvik
        35. derby-5363-limit-to-java7b.stat
          0.1 kB
          Dag H. Wanvik
        36. releaseNote.html
          6 kB
          Dag H. Wanvik
        37. derby-5363-followup-unix.diff
          17 kB
          Dag H. Wanvik
        38. derby-5363-followup-unix.stat
          1 kB
          Dag H. Wanvik
        39. derby-5363-followup-unix.diff
          17 kB
          Dag H. Wanvik
        40. releaseNote.html
          6 kB
          Richard N. Hillegas

        Issue Links

          incorporates

          Bug - A problem which impairs or prevents the functions of the product. DERBY-5492 Restrictive file permissions: permissions removed also for owner on NTFS if Acl does not contain explicit entry for owner

          • Major - Major loss of function.
          • Closed
          is related to

          Sub-task - The sub-task of the issue DERBY-5442 Create documentation for restrictive file permissions feature

          • Major - Major loss of function.
          • Closed

          Improvement - An improvement or enhancement to an existing feature or task. DERBY-6521 Improve error handling when restricting file permissions

          • Major - Major loss of function.
          • Closed
          relates to

          Bug - A problem which impairs or prevents the functions of the product. DERBY-5434 On linux with IBM JDK 1.7 suites.All does not run at all failing with java.lang.reflect.InvocationTargetException

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. DERBY-6160 Fixes needed to documentation topics on security policy permissions

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. DERBY-6209 Add release note omitted with 10.9 for new required Security Manager permissions after DERBY-5363

          • Major - Major loss of function.
          • Closed

          Improvement - An improvement or enhancement to an existing feature or task. DERBY-6258 Restrict permissions on BACKUP.HISTORY

          • Major - Major loss of function.
          • Closed

          Activity

            People

              dagw Dag H. Wanvik
              dagw Dag H. Wanvik
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: