Need help with security policy

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Need help with security policy

Michael Remijan

Hi Derby users.

 

I need some help getting the security policy right. 

 

First, here is the command line with all the options for when I start Derby.  I’m pretty sure I got all these correct.

 

/home/derby/opt/java/bin/java -Dderby.drda.host=0.0.0.0 -Dderby.drda.portNumber=1527 -Dderby.system.home=/var/local/derby/1527 -Dderby.install.url=file:/home/derby/opt/derby/lib/ -Djava.security.manager -Djava.security.policy=/var/local/derby/1527/security.policy -classpath /home/derby/opt/derby/lib/derby.jar:/home/derby/opt/derby/lib/derbynet.jar:/home/derby/opt/derby/lib/derbytools.jar:/home/derby/opt/derby/lib/derbyoptionaltools.jar:/home/derby/opt/derby/lib/derbyclient.jar org.apache.derby.drda.NetworkServerControl start

 

My Java version is:

OpenJDK 64-Bit Server VM Zulu11.1+23 (build 11-ea+22, mixed mode)

 

My Derby version is:  

10.14.2.0

 

My Derby sysinfo is:

------------------ Java Information ------------------

Java Version:    11-ea

Java Vendor:     Azul Systems, Inc.

Java home:       /opt/zulu11.1+23-ea-jdk11-linux_x64

Java classpath:  /home/derby/opt/derby/lib/derby.jar:/home/derby/opt/derby/lib/derbynet.jar:/home/derby/opt/derby/lib/derbytools.jar:/home/derby/opt/derby/lib/derbyoptionaltools.jar:/home/derby/opt/derby/lib/derbyclient.jar

OS name:         Linux

OS architecture: amd64

OS version:      4.15.0-20-generic

Java user name:  derby

Java user home:  /home/derby

Java user dir:   /opt/db-derby-10.14.2.0-bin/bin

java.specification.name: Java Platform API Specification

java.specification.version: 11

java.runtime.version: 11-ea+22

--------- Derby Information --------

[/opt/db-derby-10.14.2.0-bin/lib/derby.jar] 10.14.2.0 - (1828579)

[/opt/db-derby-10.14.2.0-bin/lib/derbytools.jar] 10.14.2.0 - (1828579)

[/opt/db-derby-10.14.2.0-bin/lib/derbynet.jar] 10.14.2.0 - (1828579)

[/opt/db-derby-10.14.2.0-bin/lib/derbyclient.jar] 10.14.2.0 - (1828579)

[/opt/db-derby-10.14.2.0-bin/lib/derbyoptionaltools.jar] 10.14.2.0 - (1828579)

------------------------------------------------------

----------------- Locale Information -----------------

------------------------------------------------------

------------------------------------------------------

 

I copied the demo file from demo/templates/server.policy and I use it as my /var/local/derby/1527/security.  The only change I made to the demo file was to *uncomment* the following permission:

 

               permission java.io.FilePermission "<<ALL FILES>>", "read,write,delete";

 

After running Derby with this security policy (see attached), the Derby network server is able to start fine and I can connect remote clients successfully.  However, I have 2 problems which I haven’t been able to resolve.

 

(1)

The first big problem is I cannot shutdown the the Derby network server while it’s running the security policy!  Here is the commanline of the shutdown command:

 

derby     5503  5498  0 07:43 pts/2    00:00:00 /home/derby/opt/java/bin/java -Dderby.drda.host=0.0.0.0 -Dderby.drda.portNumber=1527 -Dderby.system.home=/var/local/derby/1527 -Dderby.install.url=file:/home/derby/opt/derby/lib/ -Djava.security.manager -Djava.security.policy=/var/local/derby/1527/security.policy -classpath /home/derby/opt/derby/lib/derby.jar:/home/derby/opt/derby/lib/derbynet.jar:/home/derby/opt/derby/lib/derbytools.jar:/home/derby/opt/derby/lib/derbyoptionaltools.jar:/home/derby/opt/derby/lib/derbyclient.jar org.apache.derby.drda.NetworkServerControl shutdown

 

Here is the StackTrace I get trying to shutdown:

 

Mon Aug 20 07:43:45 CDT 2018 : access denied ("java.net.SocketPermission" "0.0.0.0:1527" "connect,resolve")

java.security.AccessControlException: access denied ("java.net.SocketPermission" "0.0.0.0:1527" "connect,resolve")

               at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)

               at java.base/java.security.AccessController.checkPermission(AccessController.java:895)

               at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:322)

               at java.base/java.lang.SecurityManager.checkConnect(SecurityManager.java:824)

               at java.base/java.net.Socket.connect(Socket.java:586)

               at java.base/java.net.Socket.connect(Socket.java:540)

               at java.base/java.net.Socket.<init>(Socket.java:436)

               at java.base/java.net.Socket.<init>(Socket.java:246)

               at java.base/javax.net.DefaultSocketFactory.createSocket(SocketFactory.java:277)

               at org.apache.derby.impl.drda.NetworkServerControlImpl$6.run(Unknown Source)

               at org.apache.derby.impl.drda.NetworkServerControlImpl$6.run(Unknown Source)

               at java.base/java.security.AccessController.doPrivileged(Native Method)

               at org.apache.derby.impl.drda.NetworkServerControlImpl.setUpSocket(Unknown Source)

               at org.apache.derby.impl.drda.NetworkServerControlImpl.shutdown(Unknown Source)

               at org.apache.derby.impl.drda.NetworkServerControlImpl.executeWork(Unknown Source)

               at org.apache.derby.drda.NetworkServerControl.main(Unknown Source)

 

Any help with this permission problem would be greatly appreciated.

 

(2)

When I try to run a database backup, I get a file permission exception. 

 

Exception in thread "main" java.security.AccessControlException: access denied ("java.io.FilePermission" "/tmp/resiste-backup/1527/resiste-backup.sql" "read")

               at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)

               at java.base/java.security.AccessController.checkPermission(AccessController.java:895)

               at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:322)

               at java.base/java.lang.SecurityManager.checkRead(SecurityManager.java:661)

               at java.base/java.io.FileInputStream.<init>(FileInputStream.java:146)

               at java.base/java.io.FileInputStream.<init>(FileInputStream.java:112)

               at org.apache.derby.impl.tools.ij.Main$1.run(Unknown Source)

               at org.apache.derby.impl.tools.ij.Main$1.run(Unknown Source)

               at java.base/java.security.AccessController.doPrivileged(Native Method)

               at org.apache.derby.impl.tools.ij.Main.mainCore(Unknown Source)

               at org.apache.derby.impl.tools.ij.Main.main(Unknown Source)

               at org.apache.derby.tools.ij.main(Unknown Source)

 

I’m surprised at this exception because I specifically set the permission in my security.policy file permission java.io.FilePermission "<<ALL FILES>>", "read,write,delete";

 

So I’m not sure what’s going on with this exception either.  Any help would be appreciated.

 

Mike

@mjremijan


security.policy (10K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Need help with security policy

Rick Hillegas-3
Hey Mark,

I have reproduced some of your security policy problems with Derby 10.14.2.0 on Java 11. I used the server.policy bundled with the product. I had to adjust the policy file as follows:

1) Grant derbynet.jar the following additional permissions:

  permission java.util.PropertyPermission "derby.*", "read,write";
  permission java.net.SocketPermission "localhost:${derby.security.port}", "connect,resolve";

2) Grant derbytools.jar the following additional permission:

  permission java.util.PropertyPermission "*", "read,write";

3) Grant derbyclient.jar the following additional permission:

  permission java.net.SocketPermission "localhost:${derby.security.port}", "connect,resolve";

With those adjustments, the experiments ran successfully. I have attached the files which I used for these experiments:

  zstart - script to boot the server

  zij - script to run a simple ij script using the client driver

  zstop - script to shutdown the server

  zz.policy - policy file used by all of the scripts

Hope this helps,
-Rick


On 8/20/18 5:49 AM, Michael Remijan wrote:

Hi Derby users.

 

I need some help getting the security policy right. 

 

First, here is the command line with all the options for when I start Derby.  I’m pretty sure I got all these correct.

 

/home/derby/opt/java/bin/java -Dderby.drda.host=0.0.0.0 -Dderby.drda.portNumber=1527 -Dderby.system.home=/var/local/derby/1527 -Dderby.install.url=file:/home/derby/opt/derby/lib/ -Djava.security.manager -Djava.security.policy=/var/local/derby/1527/security.policy -classpath /home/derby/opt/derby/lib/derby.jar:/home/derby/opt/derby/lib/derbynet.jar:/home/derby/opt/derby/lib/derbytools.jar:/home/derby/opt/derby/lib/derbyoptionaltools.jar:/home/derby/opt/derby/lib/derbyclient.jar org.apache.derby.drda.NetworkServerControl start

 

My Java version is:

OpenJDK 64-Bit Server VM Zulu11.1+23 (build 11-ea+22, mixed mode)

 

My Derby version is:  

10.14.2.0

 

My Derby sysinfo is:

------------------ Java Information ------------------

Java Version:    11-ea

Java Vendor:     Azul Systems, Inc.

Java home:       /opt/zulu11.1+23-ea-jdk11-linux_x64

Java classpath:  /home/derby/opt/derby/lib/derby.jar:/home/derby/opt/derby/lib/derbynet.jar:/home/derby/opt/derby/lib/derbytools.jar:/home/derby/opt/derby/lib/derbyoptionaltools.jar:/home/derby/opt/derby/lib/derbyclient.jar

OS name:         Linux

OS architecture: amd64

OS version:      4.15.0-20-generic

Java user name:  derby

Java user home:  /home/derby

Java user dir:   /opt/db-derby-10.14.2.0-bin/bin

java.specification.name: Java Platform API Specification

java.specification.version: 11

java.runtime.version: 11-ea+22

--------- Derby Information --------

[/opt/db-derby-10.14.2.0-bin/lib/derby.jar] 10.14.2.0 - (1828579)

[/opt/db-derby-10.14.2.0-bin/lib/derbytools.jar] 10.14.2.0 - (1828579)

[/opt/db-derby-10.14.2.0-bin/lib/derbynet.jar] 10.14.2.0 - (1828579)

[/opt/db-derby-10.14.2.0-bin/lib/derbyclient.jar] 10.14.2.0 - (1828579)

[/opt/db-derby-10.14.2.0-bin/lib/derbyoptionaltools.jar] 10.14.2.0 - (1828579)

------------------------------------------------------

----------------- Locale Information -----------------

------------------------------------------------------

------------------------------------------------------

 

I copied the demo file from demo/templates/server.policy and I use it as my /var/local/derby/1527/security.  The only change I made to the demo file was to *uncomment* the following permission:

 

               permission java.io.FilePermission "<<ALL FILES>>", "read,write,delete";

 

After running Derby with this security policy (see attached), the Derby network server is able to start fine and I can connect remote clients successfully.  However, I have 2 problems which I haven’t been able to resolve.

 

(1)

The first big problem is I cannot shutdown the the Derby network server while it’s running the security policy!  Here is the commanline of the shutdown command:

 

derby     5503  5498  0 07:43 pts/2    00:00:00 /home/derby/opt/java/bin/java -Dderby.drda.host=0.0.0.0 -Dderby.drda.portNumber=1527 -Dderby.system.home=/var/local/derby/1527 -Dderby.install.url=file:/home/derby/opt/derby/lib/ -Djava.security.manager -Djava.security.policy=/var/local/derby/1527/security.policy -classpath /home/derby/opt/derby/lib/derby.jar:/home/derby/opt/derby/lib/derbynet.jar:/home/derby/opt/derby/lib/derbytools.jar:/home/derby/opt/derby/lib/derbyoptionaltools.jar:/home/derby/opt/derby/lib/derbyclient.jar org.apache.derby.drda.NetworkServerControl shutdown

 

Here is the StackTrace I get trying to shutdown:

 

Mon Aug 20 07:43:45 CDT 2018 : access denied ("java.net.SocketPermission" "0.0.0.0:1527" "connect,resolve")

java.security.AccessControlException: access denied ("java.net.SocketPermission" "0.0.0.0:1527" "connect,resolve")

               at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)

               at java.base/java.security.AccessController.checkPermission(AccessController.java:895)

               at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:322)

               at java.base/java.lang.SecurityManager.checkConnect(SecurityManager.java:824)

               at java.base/java.net.Socket.connect(Socket.java:586)

               at java.base/java.net.Socket.connect(Socket.java:540)

               at java.base/java.net.Socket.<init>(Socket.java:436)

               at java.base/java.net.Socket.<init>(Socket.java:246)

               at java.base/javax.net.DefaultSocketFactory.createSocket(SocketFactory.java:277)

               at org.apache.derby.impl.drda.NetworkServerControlImpl$6.run(Unknown Source)

               at org.apache.derby.impl.drda.NetworkServerControlImpl$6.run(Unknown Source)

               at java.base/java.security.AccessController.doPrivileged(Native Method)

               at org.apache.derby.impl.drda.NetworkServerControlImpl.setUpSocket(Unknown Source)

               at org.apache.derby.impl.drda.NetworkServerControlImpl.shutdown(Unknown Source)

               at org.apache.derby.impl.drda.NetworkServerControlImpl.executeWork(Unknown Source)

               at org.apache.derby.drda.NetworkServerControl.main(Unknown Source)

 

Any help with this permission problem would be greatly appreciated.

 

(2)

When I try to run a database backup, I get a file permission exception. 

 

Exception in thread "main" java.security.AccessControlException: access denied ("java.io.FilePermission" "/tmp/resiste-backup/1527/resiste-backup.sql" "read")

               at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)

               at java.base/java.security.AccessController.checkPermission(AccessController.java:895)

               at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:322)

               at java.base/java.lang.SecurityManager.checkRead(SecurityManager.java:661)

               at java.base/java.io.FileInputStream.<init>(FileInputStream.java:146)

               at java.base/java.io.FileInputStream.<init>(FileInputStream.java:112)

               at org.apache.derby.impl.tools.ij.Main$1.run(Unknown Source)

               at org.apache.derby.impl.tools.ij.Main$1.run(Unknown Source)

               at java.base/java.security.AccessController.doPrivileged(Native Method)

               at org.apache.derby.impl.tools.ij.Main.mainCore(Unknown Source)

               at org.apache.derby.impl.tools.ij.Main.main(Unknown Source)

               at org.apache.derby.tools.ij.main(Unknown Source)

 

I’m surprised at this exception because I specifically set the permission in my security.policy file permission java.io.FilePermission "<<ALL FILES>>", "read,write,delete";

 

So I’m not sure what’s going on with this exception either.  Any help would be appreciated.

 

Mike

@mjremijan



zstart (564 bytes) Download Attachment
zij (564 bytes) Download Attachment
zstop (567 bytes) Download Attachment
zz.policy (9K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

RE: Need help with security policy

Michael Remijan

Wow, thank you very much.  I will take a look at it as soon as I can.

 

From: Rick Hillegas <[hidden email]>
Sent: Monday, August 20, 2018 9:02 PM
To: [hidden email]
Subject: Re: Need help with security policy

 

Hey Mark,

I have reproduced some of your security policy problems with Derby 10.14.2.0 on Java 11. I used the server.policy bundled with the product. I had to adjust the policy file as follows:

1) Grant derbynet.jar the following additional permissions:

  permission java.util.PropertyPermission "derby.*", "read,write";
  permission java.net.SocketPermission "localhost:${derby.security.port}", "connect,resolve";

2) Grant derbytools.jar the following additional permission:

  permission java.util.PropertyPermission "*", "read,write";

3) Grant derbyclient.jar the following additional permission:

  permission java.net.SocketPermission "localhost:${derby.security.port}", "connect,resolve";

With those adjustments, the experiments ran successfully. I have attached the files which I used for these experiments:

  zstart - script to boot the server

  zij - script to run a simple ij script using the client driver

  zstop - script to shutdown the server

  zz.policy - policy file used by all of the scripts

Hope this helps,
-Rick


On 8/20/18 5:49 AM, Michael Remijan wrote:

Hi Derby users.

 

I need some help getting the security policy right. 

 

First, here is the command line with all the options for when I start Derby.  I’m pretty sure I got all these correct.

 

/home/derby/opt/java/bin/java -Dderby.drda.host=0.0.0.0 -Dderby.drda.portNumber=1527 -Dderby.system.home=/var/local/derby/1527 -Dderby.install.url=file:/home/derby/opt/derby/lib/ -Djava.security.manager -Djava.security.policy=/var/local/derby/1527/security.policy -classpath /home/derby/opt/derby/lib/derby.jar:/home/derby/opt/derby/lib/derbynet.jar:/home/derby/opt/derby/lib/derbytools.jar:/home/derby/opt/derby/lib/derbyoptionaltools.jar:/home/derby/opt/derby/lib/derbyclient.jar org.apache.derby.drda.NetworkServerControl start

 

My Java version is:

OpenJDK 64-Bit Server VM Zulu11.1+23 (build 11-ea+22, mixed mode)

 

My Derby version is:  

10.14.2.0

 

My Derby sysinfo is:

------------------ Java Information ------------------

Java Version:    11-ea

Java Vendor:     Azul Systems, Inc.

Java home:       /opt/zulu11.1+23-ea-jdk11-linux_x64

Java classpath:  /home/derby/opt/derby/lib/derby.jar:/home/derby/opt/derby/lib/derbynet.jar:/home/derby/opt/derby/lib/derbytools.jar:/home/derby/opt/derby/lib/derbyoptionaltools.jar:/home/derby/opt/derby/lib/derbyclient.jar

OS name:         Linux

OS architecture: amd64

OS version:      4.15.0-20-generic

Java user name:  derby

Java user home:  /home/derby

Java user dir:   /opt/db-derby-10.14.2.0-bin/bin

java.specification.name: Java Platform API Specification

java.specification.version: 11

java.runtime.version: 11-ea+22

--------- Derby Information --------

[/opt/db-derby-10.14.2.0-bin/lib/derby.jar] 10.14.2.0 - (1828579)

[/opt/db-derby-10.14.2.0-bin/lib/derbytools.jar] 10.14.2.0 - (1828579)

[/opt/db-derby-10.14.2.0-bin/lib/derbynet.jar] 10.14.2.0 - (1828579)

[/opt/db-derby-10.14.2.0-bin/lib/derbyclient.jar] 10.14.2.0 - (1828579)

[/opt/db-derby-10.14.2.0-bin/lib/derbyoptionaltools.jar] 10.14.2.0 - (1828579)

------------------------------------------------------

----------------- Locale Information -----------------

------------------------------------------------------

------------------------------------------------------

 

I copied the demo file from demo/templates/server.policy and I use it as my /var/local/derby/1527/security.  The only change I made to the demo file was to *uncomment* the following permission:

 

               permission java.io.FilePermission "<<ALL FILES>>", "read,write,delete";

 

After running Derby with this security policy (see attached), the Derby network server is able to start fine and I can connect remote clients successfully.  However, I have 2 problems which I haven’t been able to resolve.

 

(1)

The first big problem is I cannot shutdown the the Derby network server while it’s running the security policy!  Here is the commanline of the shutdown command:

 

derby     5503  5498  0 07:43 pts/2    00:00:00 /home/derby/opt/java/bin/java -Dderby.drda.host=0.0.0.0 -Dderby.drda.portNumber=1527 -Dderby.system.home=/var/local/derby/1527 -Dderby.install.url=file:/home/derby/opt/derby/lib/ -Djava.security.manager -Djava.security.policy=/var/local/derby/1527/security.policy -classpath /home/derby/opt/derby/lib/derby.jar:/home/derby/opt/derby/lib/derbynet.jar:/home/derby/opt/derby/lib/derbytools.jar:/home/derby/opt/derby/lib/derbyoptionaltools.jar:/home/derby/opt/derby/lib/derbyclient.jar org.apache.derby.drda.NetworkServerControl shutdown

 

Here is the StackTrace I get trying to shutdown:

 

Mon Aug 20 07:43:45 CDT 2018 : access denied ("java.net.SocketPermission" "0.0.0.0:1527" "connect,resolve")

java.security.AccessControlException: access denied ("java.net.SocketPermission" "0.0.0.0:1527" "connect,resolve")

               at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)

               at java.base/java.security.AccessController.checkPermission(AccessController.java:895)

               at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:322)

               at java.base/java.lang.SecurityManager.checkConnect(SecurityManager.java:824)

               at java.base/java.net.Socket.connect(Socket.java:586)

               at java.base/java.net.Socket.connect(Socket.java:540)

               at java.base/java.net.Socket.<init>(Socket.java:436)

               at java.base/java.net.Socket.<init>(Socket.java:246)

               at java.base/javax.net.DefaultSocketFactory.createSocket(SocketFactory.java:277)

               at org.apache.derby.impl.drda.NetworkServerControlImpl$6.run(Unknown Source)

               at org.apache.derby.impl.drda.NetworkServerControlImpl$6.run(Unknown Source)

               at java.base/java.security.AccessController.doPrivileged(Native Method)

               at org.apache.derby.impl.drda.NetworkServerControlImpl.setUpSocket(Unknown Source)

               at org.apache.derby.impl.drda.NetworkServerControlImpl.shutdown(Unknown Source)

               at org.apache.derby.impl.drda.NetworkServerControlImpl.executeWork(Unknown Source)

               at org.apache.derby.drda.NetworkServerControl.main(Unknown Source)

 

Any help with this permission problem would be greatly appreciated.

 

(2)

When I try to run a database backup, I get a file permission exception. 

 

Exception in thread "main" java.security.AccessControlException: access denied ("java.io.FilePermission" "/tmp/resiste-backup/1527/resiste-backup.sql" "read")

               at java.base/java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)

               at java.base/java.security.AccessController.checkPermission(AccessController.java:895)

               at java.base/java.lang.SecurityManager.checkPermission(SecurityManager.java:322)

               at java.base/java.lang.SecurityManager.checkRead(SecurityManager.java:661)

               at java.base/java.io.FileInputStream.<init>(FileInputStream.java:146)

               at java.base/java.io.FileInputStream.<init>(FileInputStream.java:112)

               at org.apache.derby.impl.tools.ij.Main$1.run(Unknown Source)

               at org.apache.derby.impl.tools.ij.Main$1.run(Unknown Source)

               at java.base/java.security.AccessController.doPrivileged(Native Method)

               at org.apache.derby.impl.tools.ij.Main.mainCore(Unknown Source)

               at org.apache.derby.impl.tools.ij.Main.main(Unknown Source)

               at org.apache.derby.tools.ij.main(Unknown Source)

 

I’m surprised at this exception because I specifically set the permission in my security.policy file permission java.io.FilePermission "<<ALL FILES>>", "read,write,delete";

 

So I’m not sure what’s going on with this exception either.  Any help would be appreciated.

 

Mike

@mjremijan