[FELIX-3196] Security Problem: Getting full file access within the cache directory from one Bundle - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: framework.security-2.0.0
Fix Version/s: framework.security-2.0.1
Component/s: Framework Security
Labels:
None
Environment:
felix-framework-4.0.1

Description

It seems that there is a security problem in the "Framework Security" module of Felix.
I have full access to the bundle cache directory from each bundle.

Expectation: I should only get full access to the data storage of the bundle itself.
Actually I was able to create files from Bundle 25 inside the data storage of Bundle 0.
I even could delete the whole directory of Bundle 0.

I checked the same with Knopflerfish which does this check correctly.

Do I have to set more configuration parameters?
The OSGi specification defines that the framework should grant access to the bundle's data storage.

Attachments

Activity

People

Assignee:: Karl Pauls

Reporter:: Michael Grammling

Votes:: 0 Vote for this issue

Watchers:: 0 Start watching this issue

Dates

Created:: 03/Nov/11 08:23

Updated:: 20/Nov/11 19:57

Resolved:: 20/Nov/11 19:57