The default SecurityManager checks whether the caller of a particular method has sufficient permissions to proceed with an action. An action is a level of access; for instance, the actions for java.io.FilePermission are "read, " " write, " " execute, " and "delete" [API 2011] Class FilePermission. The "Permission Descriptions and Risks" guide [Permissions 2008] enumerates the default permissions and the risks associated with granting these permissions to Java code.
...
This noncompliant code example contains a privileged block that is used to perform two sensitive operations, : loading a library and setting the default exception handler.
| Code Block | ||
|---|---|---|
| ||
class LoadLibrary {
private void loadLibrary() {
AccessController.doPrivileged(new PrivilegedAction() {
public Object run() {
// privilegedPrivileged code
System.loadLibrary("myLib.so");
// performPerform some sensitive operation like setting the default exception handler
MyExceptionReporter.setExceptionReporter(reporter);
return null;
}
});
}
} |
...
| Code Block | ||
|---|---|---|
| ||
class LoadLibrary {
private void loadLibrary() {
AccessController.doPrivileged(new PrivilegedAction() {
public Object run() {
// privilegedPrivileged code
System.loadLibrary("myLib.so");
// performPerform some sensitive operation like setting the default exception handler
MyExceptionReporter.setExceptionReporter(reporter);
return null;
}
});
}
}
final class MyExceptionReporter extends ExceptionReporter {
public void setExceptionReporter(ExceptionReporter reporter) {
SecurityManager sm = System.getSecurityManager();
if(sm != null) {
sm.checkPermission(new ExceptionReporterPermission("exc.reporter"));
}
// Proceed to set the exception reporter
}
// ... other methods of MyExceptionReporter
}
final class ExceptionReporterPermission extends BasicPermission {
public ExceptionReporterPermission(String permName) {
super(permName);
}
// Even though the actions parameter is ignored, this constructor has to be defined
public ExceptionReporterPermission(String permName, String actions) {
super(permName, actions);
}
}
|
Assuming that the above preceding sources reside in the c:\package directory on a Windows-based system, for example, the policy file needs to grant two permissions, : ExceptionReporterPermission exc.reporter and RuntimePermission loadlibrary.awt.
...
By default, permissions cannot be defined to support actions using BasicPermission, but the actions can be freely implemented in the subclass ExceptionReporterPermission if required. BasicPermission is abstract even though it contains no abstract methods; it defines all the methods that it extends from the Permission class. The custom-defined subclass of the BasicPermission class has to define two constructors to call the most appropriate (one- or two-argument) superclass constructor (the superclass lacks a default constructor). The two-argument constructor also accepts an action even though a basic permission does not use it. This behavior is required for constructing permission objects from the policy file. Note that the custom-defined subclass of the BasicPermission class is declared to be final in accordance with guideline OBJ56-JG. Classes that derive from a sensitive class or implement a sensitive interface must be declared final.
...
Running Java code without defining custom permissions where default permissions are inapplicable can leave an application open to privilege escalation vulnerabilities.
Related Guidelines
...
...
| Incorrect |
...
| permission assignment for critical resource |
Bibliography
...
| , "The Access Controller," "Permissions" |
| [ |
...
...
...