Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The permission java.security.AllPermission grants all possible permissions to code. This facility was included to reduce the burden of managing a multitude of permissions during routine testing as well as when a body of code is completely trusted. Code is typically granted AllPermission via the security policy file; it is also possible to programmatically associate AllPermission with a ProtectionDomain. This permission is dangerous in production environments. Never grant AllPermission to untrusted code.

ReflectPermission, suppressAccessChecks

Wiki MarkupGranting {{ReflectPermission}} on the target {{suppressAccessChecks}} suppresses all standard Java language access checks when the permitted class attempts to operate on package-private, protected, or private members of another class. Consequently, the permitted class can obtain permissions to examine any field or invoke any method belonging to an arbitrary class \[ [Reflect 2006|AA. References#Reflect 06]\]. As a result, {{ReflectPermission}} must never be granted with target {{suppressAccessChecks}}.

Wiki MarkupAccording to the technical note _Permissions in the Java SE 6 Development Kit_ \[ [Permissions 2008|AA. References#Permissions 08]\], Section [ReflectPermission|http://java.sun.com/javase/6/docs/technotes/guides/security/permissions.html#ReflectPermission], target {{suppressAccessChecks}}:

Warning: Extreme caution should be taken before granting this permission to code, for it provides the ability to access fields and invoke methods in a class. This includes not only public, but protected and private fields and methods as well.

...

The permission java.lang.RuntimePermission applied to target createClassLoader grants code the permission to create a ClassLoader object. This permission is extremely dangerous because malicious code can create its own custom class loader and load classes by assigning them arbitrary permissions. A custom class loader can define a class (or ProtectionDomain) with permissions that override any restrictions specified in the systemwide security policy file.unmigrated-wiki-markup

_Permissions in the Java SE 6 Development Kit_ \ [[Permissions 2008|AA. References#Permissions 08] \] states:

This is an extremely dangerous permission to grant. Malicious applications that can instantiate their own class loaders could then load their own rogue classes into the system. These newly loaded classes could be placed into any protection domain by the class loader, thereby automatically granting the classes the permissions for that domain.

...

This noncompliant example grants AllPermission to the klib library. :

Code Block
bgColor#FFcccc

// Grant the klib library AllPermission  
grant codebase "file:${klib.home}/j2se/home/klib.jar" { 
  permission java.security.AllPermission; 
}; 

The permission itself is specified in the the security policy file used by the security manager. Program code can obtain a permission object by subclassing the java.security.Permission class or any of its subclasses (BasicPermission, for example). The code can use the resulting object to grant AllPermission to a ProtectionDomain.

...

This compliant solution shows a policy file that can be used to enforce fine-grained permissions. :

Code Block
bgColor#ccccff

grant codeBase 
    "file:${klib.home}/j2se/home/klib.jar", signedBy "Admin" {
  permission java.io.FilePermission "/tmp/*", "read";
  permission java.io.SocketPermission "*", "connect";
};

To check whether the caller has the requisite permissions, standard Java APIs use code such as the following:

Code Block
bgColor#ccccff

// Security manager check
FilePermission perm =
    new java.io.FilePermission("/tmp/JavaFile", "read");
AccessController.checkPermission(perm);
// ...

...

This noncompliant code example shows an overridden getPermissions() method, defined in a custom class loader. It grants java.lang.ReflectPermission with target suppressAccessChecks to any class that it loads.

Code Block
bgColor#FFcccc

protected PermissionCollection getPermissions(CodeSource cs) {
  PermissionCollection pc = super.getPermissions(cs);
  pc.add(new ReflectPermission("suppressAccessChecks"));   // permissionPermission to create a class loader
  // otherOther permissions
  return pc;
}

Compliant Solution

This compliant solution does not grant java.lang.ReflectPermission with target suppressAccessChecks to any class that it loads.:

Code Block
bgColor#ccccff

protected PermissionCollection getPermissions(CodeSource cs) {
  PermissionCollection pc = super.getPermissions(cs);
  // otherOther permissions
  return pc;
}

Exceptions

ENV03-J-EX0: It may be necessary to grant AllPermission to trusted library code so that callbacks work as expected. For example, it is common practice, and acceptable, to grant AllPermission to the optional Java packages (extension libraries):

Code Block
bgColor#ccccff

// Standard extensions extend the core platform and are granted all permissions by default
grant codeBase "file:${{java.ext.dirs}}/*" {
  permission java.security.AllPermission;
};

Risk Assessment

Granting AllPermission to to untrusted code allows it to perform privileged operations.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

ENV03-J

high

High

likely

Likely

low

Low

P27

L1

Automated Detection

Static detection of potential uses of dangerous permissions is a trivial search. Automated determination of the correctness of such uses is not feasible.

ToolVersionCheckerDescription
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

JAVA.IO.PERM

Permissive File Mode (Java)

Related Vulnerabilities

CVE-2007-5342 describes a vulnerability in Apache Tomcat 5.5.9 through 5.5.25 and 6.0.0 through 6.0.15. The security policy used in the JULI logging component failed to restrict certain permissions for web applications. An attacker could modify the log level, directory, or prefix attributes in the org.apache.juli.FileHandler handler, permitting them to modify logging configuration options and overwrite arbitrary files.

Related Guidelines

MITRE CWE

CWE-732

. Incorrect permission assignment for critical resource

Bibliography

, Incorrect Permission Assignment for Critical Resource

Android Implementation Details

The java.security package exists on Android for compatibility purposes only, and it should not be used. Android uses another permission mechanism for security purposes.

Bibliography

[API 2014]

Class AllPermission
Class ReflectPermission
Class RuntimePermission

[Gong 2003]


[Long 2005

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="5cecf279-dfb8-4c3f-be82-13ca563ecab1"><ac:plain-text-body><![CDATA[

[[API 2006

AA. References#API 06]]

[Class AllPermission

http://java.sun.com/javase/6/docs/api/java/security/AllPermission.html], [ReflectPermission

http://java.sun.com/javase/6/docs/api/java/lang/reflect/ReflectPermission.html], [RuntimePermission

http://java.sun.com/javase/6/docs/api/java/lang/reflect/RuntimePermission.html]

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="9ee017a7-03aa-4f9e-a35e-7628c6b039e6"><ac:plain-text-body><![CDATA[

[[Gong 2003

AA. References#Gong 03]]

 

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="1dfd0568-071c-4fe5-ae07-feea1465d04d"><ac:plain-text-body><![CDATA[

[[Long 2005

AA. References#Long 05]

]

Section 2.5,

Reflection

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="7dcbff8b-02d4-4d56-80d4-af5c7794ec16"><ac:plain-text-body><![CDATA[

[[Permissions 2008

AA. References#Permissions 08]]

Section [ReflectPermission

http://java.sun.com/javase/6/docs/technotes/guides/security/permissions.html#ReflectPermission]

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="3b3187a5-43ae-459e-a64e-e38d38e41803"><ac:plain-text-body><![CDATA[

[[Reflect 2006

AA. References#Reflect 06]]

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="fffb7159-08c8-4825-b29c-2e86c2fc8baa"><ac:plain-text-body><![CDATA[

[[Security 2006

AA. References#Security 06]]

[Security Architecture

http://java.sun.com/javase/6/docs/technotes/guides/security/spec/security-spec.doc.html], Section [RuntimePermission

http://java.sun.com/javase/6/docs/technotes/guides/security/permissions.html#RuntimePermission]

]]></ac:plain-text-body></ac:structured-macro>

"Reflection"

[Permissions 2008]

Section "ReflectPermission"

[Reflect 2006]

[Security 2006]

Security Architecture
Section "RuntimePermission"


...

Image Added Image Added Image Removed      15. Runtime Environment (ENV)