Certain combinations of permissions can produce significant capability increases and should not be granted. Other permissions should only be granted only to special code.
AllPermission
The permission java.security.AllPermission grants all possible permissions to code. This facility was included to reduce the burden of managing a multitude of permissions during routine testing , as well as when a body of code is completely trusted. Code is typically granted AllPermission via the security policy file; it is also possible to programmatically associate AllPermission with a ProtectionDomain. This permission is dangerous in production environments; never grant AllPermission to untrusted code.
ReflectPermission, suppressAccessChecks
| Wiki Markup |
|---|
TheGranting {{ReflectPermission}} permission when granted on the target {{suppressAccessChecks}} suppresses all standard Java language access checks when the permitted class attempts to operate on public, defaultpackage-private, protected, or private members of another class. Consequently, the permitted class can obtain permissions to examine any field or invoke any method belonging to an arbitrary class \[[Reflect 2006|AA. Bibliography#Reflect 06]\]. As a Consequentlyresult, the {{ReflectPErmissionReflectPermission}} permision must never be granted with target {{suppressAccessChecks}}. |
...
Warning: Extreme caution should be taken before granting this permission to code, for it provides the ability to access fields and invoke methods in a class. This includes not only public, but protected and private fields and methods as well.
RuntimePermission, createClassLoader
The permission java.lang.RuntimePermission permission applied to target createClassLoader grants permission to code so that it can create a ClassLoader object. This is extremely dangerous because malicious code can create its own custom class loader and load classes by assigning them arbitrary permissions. A custom class loader can define a class (or ProtectionDomain) with permissions that override any restrictions specified in the system-wide systemwide security policy file.
The document Permissions 2008, in Section RuntimePermission, says_Permissions in the Java⢠SE 6 Development Kit (JDK)_ Permissions 2008 states:
This is an extremely dangerous permission to grant. Malicious applications that can instantiate their own class loaders could then load their own rogue classes into the system. These newly loaded classes could be placed into any protection domain by the class loader, thereby automatically granting the classes the permissions for that domain.
...
The permission itself is specified in the security policy file used by the security manager. Program code can obtain a permission object by subclassing the java.security.Permission class or any of its subclasses (BasicPermission, for example). The code can use the resulting object to grant AllPermission to a ProtectionDomain. This is bad practice.
Compliant Solution
This compliant solution shows a policy file that can be used to enforce fine-grained permissions.
| Code Block | ||
|---|---|---|
| ||
grant codeBase "file:${klib.home}/j2se/home/klib.jar", signedBy "Admin" { permission java.io.FilePermission "/tmp/*", "read"; permission java.io.SocketPermission "*", "connect"; }; |
...
| Code Block | ||
|---|---|---|
| ||
// Security manager check FilePermission perm = new java.io.FilePermission("/tmp/JavaFile", "read"); AccessController.checkPermission(perm); // ... |
...
Compliant Solution
This compliant solution omits granting the does not grant java.lang.ReflectPermission with target suppressAccessChecks to any class that it loads.
| Code Block | ||
|---|---|---|
| ||
protected PermissionCollection getPermissions(CodeSource cs) {
PermissionCollection pc = super.getPermissions(cs);
// other permissions
return pc;
}
|
Exceptions
ENV03-EX0: It may be necessary to grant AllPermission to trusted library code so that callbacks work as expected. For example, it is common practice, and acceptable, to grant AllPermission to the optional Java packages (extension libraries):
...
Related Vulnerabilities
CVE-2007-5342 describes a vulnerability in Apache Tomcat 5.5.9 through 5.5.25 and 6.0.0 through 6.0.15. The security policy used in the JULI logging component failed to restrict certain permissions for web applications. An attacker could modify the log level, directory, or prefix attributes in the org.apache.juli.FileHandler handler, permitting them to modify logging configuration options and overwrite arbitrary files.
Related Guidelines
CWE-732, "Incorrect Permission Assignment for Critical Resource" . Incorrect permission assignment for critical resource |
Bibliography
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="91c575df2fea6c74-4c16d1ef-44434136-bd9dbbc9-d96326a724d953804da4b38a"><ac:plain-text-body><![CDATA[ | [[API 2006 | AA. Bibliography#API 06]] | [Class | http://java.sun.com/javase/6/docs/api/java/security/AllPermission.html], [ | http://java.sun.com/javase/6/docs/api/java/lang/reflect/ReflectPermission.html], [ | http://java.sun.com/javase/6/docs/api/java/lang/reflect/RuntimePermission.html] | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="827ce25d66cccd48-c638b57a-4b9b4e15-86f1ad9d-b07a440a1658f46f4ca46696"><ac:plain-text-body><![CDATA[ | [[Gong 2003 | AA. Bibliography#Gong 03]] |
| ]]></ac:plain-text-body></ac:structured-macro> | |||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="61bc4ca485c6fd8d-58709adf-48264ea0-a586807c-512945ac706ad3235a993774"><ac:plain-text-body><![CDATA[ | [[Long 2005 | AA. Bibliography#Long 05]] | Section 2.5, Reflection | ]]></ac:plain-text-body></ac:structured-macro> | |||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="b2fb594dbaae9fdd-cd0fb1a7-45a540ae-8be3b2c7-fc58be5c36c1f4ec67840a3e"><ac:plain-text-body><![CDATA[ | [[Permissions 2008 | AA. Bibliography#Permissions 08]] | Section [ | http://java.sun.com/javase/6/docs/technotes/guides/security/permissions.html#ReflectPermission] | ]]></ac:plain-text-body></ac:structured-macro> | ||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="05d6d58e5e8a6797-b871e59d-4102478b-85b6be20-c3bd9d87620df5caace52f7b"><ac:plain-text-body><![CDATA[ | [[Reflect 2006 | AA. Bibliography#Reflect 06]] | ]]></ac:plain-text-body></ac:structured-macro> | ||||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="3c95223de12e051e-abde2804-4cc74ad5-bc77a4f8-66248182fe016f804052148d"><ac:plain-text-body><![CDATA[ | [[Security 2006 | AA. Bibliography#Security 06]] | [Security Architecture | http://java.sun.com/javase/6/docs/technotes/guides/security/spec/security-spec.doc.html], Section [ | http://java.sun.com/javase/6/docs/technotes/guides/security/permissions.html#RuntimePermission] | ]]></ac:plain-text-body></ac:structured-macro> |
...