atom feed162 messages in org.apache.db.derby-devProtecting system properties (was: Re...
FromSent OnAttachments
59 earlier messages
Bernt M. Johnsen (JIRA)Nov 21, 2007 1:28 pm 
Rick Hillegas (JIRA)Nov 26, 2007 9:08 am 
John H. Embretsen (JIRA)Jan 17, 2008 1:08 am 
John H. Embretsen (JIRA)Jan 18, 2008 2:57 am 
John H. Embretsen (JIRA)Jan 18, 2008 2:59 am 
John H. Embretsen (JIRA)Jan 18, 2008 6:02 am 
Rick Hillegas (JIRA)Jan 18, 2008 6:20 am 
John H. Embretsen (JIRA)Jan 18, 2008 6:38 am 
John H. Embretsen (JIRA)Jan 18, 2008 6:57 am 
John H. Embretsen (JIRA)Jan 23, 2008 5:58 am 
Rick Hillegas (JIRA)Jan 25, 2008 12:46 pm 
John H. Embretsen (JIRA)Jan 29, 2008 2:38 am 
John H. Embretsen (JIRA)Jan 29, 2008 7:55 am 
John H. Embretsen (JIRA)Jan 29, 2008 8:28 am 
Daniel John Debrunner (JIRA)Jan 29, 2008 9:14 am 
John H. Embretsen (JIRA)Jan 29, 2008 11:26 am 
Rick Hillegas (JIRA)Jan 29, 2008 12:42 pm 
John H. Embretsen (JIRA)Feb 1, 2008 7:20 am 
Daniel John Debrunner (JIRA)Feb 1, 2008 8:01 am 
Daniel John Debrunner (JIRA)Feb 1, 2008 9:20 am 
Daniel John Debrunner (JIRA)Feb 1, 2008 9:32 am 
John H. Embretsen (JIRA)Feb 1, 2008 11:32 am 
Daniel John Debrunner (JIRA)Feb 1, 2008 12:40 pm 
John H. Embretsen (JIRA)Feb 2, 2008 1:55 pm 
John H. Embretsen (JIRA)Feb 4, 2008 4:48 am 
Thomas Nielsen (JIRA)Feb 4, 2008 8:09 am 
Kim Haase (JIRA)Feb 4, 2008 8:26 am 
Daniel John Debrunner (JIRA)Feb 4, 2008 10:02 am 
John H. Embretsen (JIRA)Feb 5, 2008 6:51 am 
Rick Hillegas (JIRA)Feb 5, 2008 8:13 am 
Daniel John Debrunner (JIRA)Feb 5, 2008 9:23 am 
Rick Hillegas (JIRA)Feb 5, 2008 9:45 am 
Rick Hillegas (JIRA)Feb 5, 2008 9:53 am 
Daniel John DebrunnerFeb 5, 2008 11:32 am 
Daniel John Debrunner (JIRA)Feb 5, 2008 11:58 am 
Rick HillegasFeb 5, 2008 12:51 pm 
Daniel John DebrunnerFeb 5, 2008 1:01 pm 
Rick HillegasFeb 5, 2008 1:44 pm 
Daniel John DebrunnerFeb 5, 2008 3:05 pm 
John EmbretsenFeb 6, 2008 6:14 am 
John H. Embretsen (JIRA)Feb 6, 2008 6:48 am 
Daniel John DebrunnerFeb 6, 2008 8:00 am 
Rick HillegasFeb 6, 2008 10:08 am 
John H. EmbretsenFeb 6, 2008 11:43 am 
Rick HillegasFeb 6, 2008 12:06 pm 
Daniel John DebrunnerFeb 6, 2008 12:10 pm 
Daniel John DebrunnerFeb 6, 2008 12:21 pm 
John H. EmbretsenFeb 6, 2008 12:29 pm 
Daniel John Debrunner (JIRA)Feb 6, 2008 12:38 pm 
John EmbretsenFeb 7, 2008 9:03 am 
Daniel John DebrunnerFeb 7, 2008 9:17 am 
Rick HillegasFeb 7, 2008 9:42 am 
Daniel John DebrunnerFeb 7, 2008 9:46 am 
Rick HillegasFeb 7, 2008 9:58 am 
Daniel John DebrunnerFeb 7, 2008 10:25 am 
John H. EmbretsenFeb 7, 2008 11:17 am 
Rick HillegasFeb 8, 2008 8:43 am 
Daniel John DebrunnerFeb 8, 2008 9:14 am 
John H. Embretsen (JIRA)Feb 8, 2008 9:21 am 
Martin ZaunFeb 8, 2008 10:05 pm 
Daniel John DebrunnerFeb 9, 2008 10:38 am 
Daniel John Debrunner (JIRA)Feb 9, 2008 9:37 pm 
John H. Embretsen (JIRA)Feb 10, 2008 8:48 am 
Daniel John Debrunner (JIRA)Feb 11, 2008 10:13 am 
Thomas Nielsen (JIRA)Feb 11, 2008 11:39 am 
Daniel John Debrunner (JIRA)Feb 11, 2008 12:00 pm 
Thomas Nielsen (JIRA)Feb 11, 2008 12:13 pm 
Daniel John Debrunner (JIRA)Feb 11, 2008 12:29 pm 
Daniel John Debrunner (JIRA)Feb 12, 2008 1:48 pm 
Daniel John Debrunner (JIRA)Feb 12, 2008 1:58 pm 
John H. Embretsen (JIRA)Feb 14, 2008 5:50 am 
Daniel John Debrunner (JIRA)Feb 14, 2008 9:14 am 
Daniel John Debrunner (JIRA)Feb 14, 2008 11:42 am 
Daniel John Debrunner (JIRA)Feb 14, 2008 1:38 pm 
John H. Embretsen (JIRA)Feb 15, 2008 7:57 am 
Daniel John DebrunnerFeb 15, 2008 8:35 am 
John H. Embretsen (JIRA)Feb 18, 2008 7:10 am 
Daniel John Debrunner (JIRA)Feb 18, 2008 9:14 am 
John H. Embretsen (JIRA)Feb 18, 2008 9:22 am 
Daniel John Debrunner (JIRA)Feb 18, 2008 10:06 am 
John H. Embretsen (JIRA)Feb 18, 2008 11:22 pm 
John H. Embretsen (JIRA)Feb 19, 2008 8:00 am 
Daniel John Debrunner (JIRA)Feb 19, 2008 8:10 am 
John H. Embretsen (JIRA)Feb 19, 2008 8:24 am 
Daniel John Debrunner (JIRA)Feb 19, 2008 9:28 am 
Daniel John Debrunner (JIRA)Feb 19, 2008 10:50 am 
John H. Embretsen (JIRA)Feb 19, 2008 11:16 am 
Daniel John Debrunner (JIRA)Feb 19, 2008 11:50 am 
John H. Embretsen (JIRA)Feb 19, 2008 12:20 pm 
Daniel John Debrunner (JIRA)Feb 19, 2008 12:30 pm 
Daniel John Debrunner (JIRA)Feb 19, 2008 12:36 pm 
John H. Embretsen (JIRA)Feb 19, 2008 12:50 pm 
Daniel John Debrunner (JIRA)Feb 20, 2008 11:07 am 
John H. Embretsen (JIRA)Feb 21, 2008 8:42 am 
John H. Embretsen (JIRA)Feb 21, 2008 8:42 am 
John H. Embretsen (JIRA)Feb 21, 2008 8:44 am 
John H. Embretsen (JIRA)Feb 24, 2008 5:44 am 
Daniel John Debrunner (JIRA)Feb 24, 2008 11:40 am 
John H. Embretsen (JIRA)Feb 25, 2008 2:06 am 
Daniel John Debrunner (JIRA)Feb 28, 2008 1:09 pm 
3 later messages
Subject:Protecting system properties (was: Re: [jira] Commented: (DERBY-1387) Add JMX extensions to Derby)
From:John Embretsen (John@Sun.COM)
Date:Feb 7, 2008 9:03:46 am
List:org.apache.db.derby-dev

Daniel John Debrunner wrote:

Rick Hillegas wrote:

Thanks for those experiments, John. When I boot the network server, it installs the default Derby server policy. Even then I can still click through the system properties via the Runtime MBean. This surprises me because the default policy only grants permissions to the Derby jars.

I would guess the system jmx beans are jre system code and thus granted all permissions.

Right. And fiddling with the system's default security policy for libraries from the Java platform (java.*, javax.*) is not something I recommend. I am guessing here, but I have a feeling that at least 99.9% of our users will accept this risk instead of going that route.

There are most likely other ways to deal with this particular source of exposure, by jumping through a number of hoops here and there (e.g. by disabling or somehow modifying the RuntimeMXBean whenever Derby boots), but do we really want to go that way?

There may be a "gazillion" other ways to view system properties of a given JVM today or in the future - and we would need to keep up with that...

In my opinion, once you choose to expose your application to other, potentially harmful, users through JMX or other means, you necessarily need to deal with a potentially higher risk level.

We, as Derby developers, should strive to keep the sensitivity of the information stored as (derby) system properties to a minimum. For example, we should recommend against defining usernames and passwords in cleartext as system properties (especially in scenarios where remote JMX is enabled), and should provide better alternatives to the users.

It is, as Rick mentioned, hard to determine the value of a given property in the hands of an malevolent user, but I am inclined to think this is something we could live with. We cannot protect against everything. Does anyone know how other comparable systems handle this issue?

Anyway, just my 2 cents...