db-derby-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michael Remijan <mjremi...@live.com>
Subject RE: Need help with security policy
Date Wed, 22 Aug 2018 00:38:25 GMT
Wow, thank you very much.  I will take a look at it as soon as I can.

From: Rick Hillegas <rick.hillegas@gmail.com>
Sent: Monday, August 20, 2018 9:02 PM
To: derby-user@db.apache.org
Subject: Re: Need help with security policy

Hey Mark,

I have reproduced some of your security policy problems with Derby 10.14.2.0 on Java 11. I
used the server.policy bundled with the product. I had to adjust the policy file as follows:

1) Grant derbynet.jar the following additional permissions:

  permission java.util.PropertyPermission "derby.*", "read,write";
  permission java.net.SocketPermission "localhost:${derby.security.port}", "connect,resolve";

2) Grant derbytools.jar the following additional permission:

  permission java.util.PropertyPermission "*", "read,write";

3) Grant derbyclient.jar the following additional permission:

  permission java.net.SocketPermission "localhost:${derby.security.port}", "connect,resolve";

With those adjustments, the experiments ran successfully. I have attached the files which
I used for these experiments:

  zstart - script to boot the server

  zij - script to run a simple ij script using the client driver

  zstop - script to shutdown the server

  zz.policy - policy file used by all of the scripts

Hope this helps,
-Rick


On 8/20/18 5:49 AM, Michael Remijan wrote:
Hi Derby users.

I need some help getting the security policy right.

First, here is the command line with all the options for when I start Derby.  I'm pretty sure
I got all these correct.

/home/derby/opt/java/bin/java -Dderby.drda.host=0.0.0.0 -Dderby.drda.portNumber=1527 -Dderby.system.home=/var/local/derby/1527
-Dderby.install.url=file:/home/derby/opt/derby/lib/<file://home/derby/opt/derby/lib/>
-Djava.security.manager -Djava.security.policy=/var/local/derby/1527/security.policy -classpath
/home/derby/opt/derby/lib/derby.jar:/home/derby/opt/derby/lib/derbynet.jar:/home/derby/opt/derby/lib/derbytools.jar:/home/derby/opt/derby/lib/derbyoptionaltools.jar:/home/derby/opt/derby/lib/derbyclient.jar
org.apache.derby.drda.NetworkServerControl start

My Java version is:
OpenJDK 64-Bit Server VM Zulu11.1+23 (build 11-ea+22, mixed mode)

My Derby version is:
10.14.2.0

My Derby sysinfo is:
------------------ Java Information ------------------
Java Version:    11-ea
Java Vendor:     Azul Systems, Inc.
Java home:       /opt/zulu11.1+23-ea-jdk11-linux_x64
Java classpath:  /home/derby/opt/derby/lib/derby.jar:/home/derby/opt/derby/lib/derbynet.jar:/home/derby/opt/derby/lib/derbytools.jar:/home/derby/opt/derby/lib/derbyoptionaltools.jar:/home/derby/opt/derby/lib/derbyclient.jar
OS name:         Linux
OS architecture: amd64
OS version:      4.15.0-20-generic
Java user name:  derby
Java user home:  /home/derby
Java user dir:   /opt/db-derby-10.14.2.0-bin/bin
java.specification.name: Java Platform API Specification
java.specification.version: 11
java.runtime.version: 11-ea+22
--------- Derby Information --------
[/opt/db-derby-10.14.2.0-bin/lib/derby.jar] 10.14.2.0 - (1828579)
[/opt/db-derby-10.14.2.0-bin/lib/derbytools.jar] 10.14.2.0 - (1828579)
[/opt/db-derby-10.14.2.0-bin/lib/derbynet.jar] 10.14.2.0 - (1828579)
[/opt/db-derby-10.14.2.0-bin/lib/derbyclient.jar] 10.14.2.0 - (1828579)
[/opt/db-derby-10.14.2.0-bin/lib/derbyoptionaltools.jar] 10.14.2.0 - (1828579)
------------------------------------------------------
----------------- Locale Information -----------------
------------------------------------------------------
------------------------------------------------------

I copied the demo file from demo/templates/server.policy and I use it as my /var/local/derby/1527/security.
 The only change I made to the demo file was to *uncomment* the following permission:

               permission java.io.FilePermission "<<ALL FILES>>", "read,write,delete";

After running Derby with this security policy (see attached), the Derby network server is
able to start fine and I can connect remote clients successfully.  However, I have 2 problems
which I haven't been able to resolve.

(1)
The first big problem is I cannot shutdown the the Derby network server while it's running
the security policy!  Here is the commanline of the shutdown command:

derby     5503  5498  0 07:43 pts/2    00:00:00 /home/derby/opt/java/bin/java -Dderby.drda.host=0.0.0.0
-Dderby.drda.portNumber=1527 -Dderby.system.home=/var/local/derby/1527 -Dderby.install.url=file:/home/derby/opt/derby/lib/<file://home/derby/opt/derby/lib/>
-Djava.security.manager -Djava.security.policy=/var/local/derby/1527/security.policy -classpath
/home/derby/opt/derby/lib/derby.jar:/home/derby/opt/derby/lib/derbynet.jar:/home/derby/opt/derby/lib/derbytools.jar:/home/derby/opt/derby/lib/derbyoptionaltools.jar:/home/derby/opt/derby/lib/derbyclient.jar
org.apache.derby.drda.NetworkServerControl shutdown

Here is the StackTrace I get trying to shutdown:

Mon Aug 20 07:43:45 CDT 2018 : access denied ("java.net.SocketPermission" "0.0.0.0:1527" "connect,resolve")
java.security.AccessControlException: access denied ("java.net.SocketPermission" "0.0.0.0:1527"
"connect,resolve")
               at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
               at java.base/java.security.AccessController.checkPermission(AccessController.java:895)
               at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:322)
               at java.base/java.lang.SecurityManager.checkConnect(SecurityManager.java:824)
               at java.base/java.net.Socket.connect(Socket.java:586)
               at java.base/java.net.Socket.connect(Socket.java:540)
               at java.base/java.net.Socket.<init>(Socket.java:436)
               at java.base/java.net.Socket.<init>(Socket.java:246)
               at java.base/javax.net.DefaultSocketFactory.createSocket(SocketFactory.java:277)
               at org.apache.derby.impl.drda.NetworkServerControlImpl$6.run(Unknown Source)
               at org.apache.derby.impl.drda.NetworkServerControlImpl$6.run(Unknown Source)
               at java.base/java.security.AccessController.doPrivileged(Native Method)
               at org.apache.derby.impl.drda.NetworkServerControlImpl.setUpSocket(Unknown
Source)
               at org.apache.derby.impl.drda.NetworkServerControlImpl.shutdown(Unknown Source)
               at org.apache.derby.impl.drda.NetworkServerControlImpl.executeWork(Unknown
Source)
               at org.apache.derby.drda.NetworkServerControl.main(Unknown Source)

Any help with this permission problem would be greatly appreciated.

(2)
When I try to run a database backup, I get a file permission exception.

Exception in thread "main" java.security.AccessControlException: access denied ("java.io.FilePermission"
"/tmp/resiste-backup/1527/resiste-backup.sql" "read")
               at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
               at java.base/java.security.AccessController.checkPermission(AccessController.java:895)
               at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:322)
               at java.base/java.lang.SecurityManager.checkRead(SecurityManager.java:661)
               at java.base/java.io.FileInputStream.<init>(FileInputStream.java:146)
               at java.base/java.io.FileInputStream.<init>(FileInputStream.java:112)
               at org.apache.derby.impl.tools.ij.Main$1.run(Unknown Source)
               at org.apache.derby.impl.tools.ij.Main$1.run(Unknown Source)
               at java.base/java.security.AccessController.doPrivileged(Native Method)
               at org.apache.derby.impl.tools.ij.Main.mainCore(Unknown Source)
               at org.apache.derby.impl.tools.ij.Main.main(Unknown Source)
               at org.apache.derby.tools.ij.main(Unknown Source)

I'm surprised at this exception because I specifically set the permission in my security.policy
file permission java.io.FilePermission "<<ALL FILES>>", "read,write,delete";

So I'm not sure what's going on with this exception either.  Any help would be appreciated.

Mike
@mjremijan



Mime
View raw message