The java.security.AllPermission
class grants all possible permissions to the caller. This facility was included for routine testing purposes to make it less cumbersome to deal with a multitude of permissions or for use when the code is completely trusted. It should never be applied to untrusted code.
Noncompliant Code Example
This noncompliant example grants AllPermission
to the klib
library. The permission itself is specified in the security policy file used by the security manager. Alternatively, a permission object can be obtained in the code by subclassing the Permission
class (or any subclass such as{{BasicPermission}}) in the java.security package
.
/* grant the klib library AllPermission */ grant codebase "file:${klib.home}/j2ee/home/klib.jar" { permission java.security.AllPermission; };
Compliant Solution
The policy file can be signed and made to provide more restrictive permissions.
grant codeBase "file:${klib.home}/j2ee/home/klib.jar", signedBy "Admin" { permission java.io.FilePermission "/tmp/*", "read"; permission java.io.SocketPermission "*", "connect"; };
Always assign appropriate permissions to code. This can be achieved by extending any of the permission classes. The next solution shows how to implement restrictive permissions within the code.
//security manager code perm = new java.io.FilePermission("/tmp/JavaFile","read"); //other code
Exceptions
SEC31-EX1: It may be necessary to grant AllPermission
to trusted library code so that callbacks will work.
For example, it is common practice to grant AllPermission
to the Java system code:
// Standard extensions get all permissions by default grant codeBase "file:${{java.ext.dirs}}/*" { permission java.security.AllPermission; };
Risk Assessment
Granting AllPermission
to untrusted code means that there is no security at all.
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
SEC31-J |
high |
probable |
low |
P18 |
L1 |
Automated Detection
TODO
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
[[API 06]] Class AllPermission
[[Gong 03]]
[[Security 06]] Security Architecture
SEC30-J. Always use a Security Manager 00. Security (SEC) SEC32-J. Do not grant ReflectPermission with action suppressAccessChecks