The java.security.AllPermission
class grants all possible permissions to the caller. This facility was included for routine testing purposes to make it less cumbersome to deal with a multitude of permissions or for use when the code is completely trusted. It should never be applied to untrusted code.
Noncompliant Code Example
This noncompliant example grants AllPermission
to a library (klib
). The permission itself is specified in the security policy file used by the security manager. Alternatively, a permission object can be obtained in the code by subclassing the Permission
class (or any subclass like BasicPermission
) in the java.security package
.
/* grant the klib library AllPermission */ grant codebase "file:${klib.home}/j2ee/home/klib.jar" { permission java.security.AllPermission; };
Compliant Solution
The policy file can be signed and made to provide more restrictive permissions.
grant codeBase "file:${klib.home}/j2ee/home/klib.jar", signedBy "Admin" { permission java.io.FilePermission "/tmp/*", "read"; permission java.io.SocketPermission "*", "connect"; };
Always assign appropriate permissions to code. This can be achieved by extending any of the permission classes. The next solution shows how to implement restrictive permissions within the code.
//security manager code perm = new java.io.FilePermission("/tmp/JavaFile","read"); //other code
Exceptions
SEC31-EX1: It may be necessary to grant AllPermission
to trusted library code so that callbacks will work.
For example, it is common practice to grant AllPermission
to the Java system code:
// Standard extensions get all permissions by default grant codeBase "file:${{java.ext.dirs}}/*" { permission java.security.AllPermission; };
Risk Assessment
Granting AllPermission
to untrusted code means that there is no security at all.
Rule |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
SEC31-J |
high |
probable |
low |
P18 |
L1 |
Automated Detection
TODO
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
[[API 06]] Class AllPermission
[[Gong 03]]
[[Security 06]] Security Architecture
SEC30-J. Always use a Security Manager 00. Security (SEC) SEC32-J. Do not grant ReflectPermission with action suppressAccessChecks