RFR 8159528: Deprivilege java.security.jgss, jdk.security.jgss and jdk.security.auth
Weijun Wang
weijun.wang at oracle.com
Wed Jul 13 02:01:15 UTC 2016
On 7/12/2016 22:31, Sean Mullan wrote:
> Did you try to grant less than AllPermission to these modules?
Ah yes, below is the exact permissions needed to run the
sun/security/krb5/auto/BasicProc.java test. Some of them will need to be
applied to the application also. The SocketPermission, FilePermission,
DelegationPermission and ServicePermission will need to change the name
to "*".
The permissions are surely not enough. For example, if server-side
rcache is enabled, FilePermission on "write" will be needed. If SPNEGO
is used, at least the spnego debug flag should be read. There are other
kind of LoginModules that would need other permissions.
grant codeBase "jrt:/java.security.jgss" {
permission java.lang.RuntimePermission
"accessClassInPackage.jdk.internal.misc";
permission java.lang.RuntimePermission
"accessClassInPackage.sun.security.util";
permission java.lang.RuntimePermission
"accessClassInPackage.sun.security.action";
permission java.lang.RuntimePermission
"accessClassInPackage.sun.security.ssl";
permission java.util.PropertyPermission
"sun.security.krb5.debug", "read";
permission java.util.PropertyPermission
"java.security.krb5.kdc", "read";
permission java.util.PropertyPermission
"java.security.krb5.realm", "read";
permission java.util.PropertyPermission
"java.security.krb5.conf", "read";
permission java.util.PropertyPermission
"sun.security.jgss.mechanism", "read";
permission java.util.PropertyPermission
"sun.security.krb5.msinterop.kstring", "read";
permission java.util.PropertyPermission
"sun.security.jgss.debug", "read";
permission java.util.PropertyPermission
"javax.security.auth.useSubjectCredsOnly", "read";
permission java.util.PropertyPermission
"sun.security.krb5.rcache", "read";
permission java.util.PropertyPermission
"sun.security.krb5.acceptor.subkey", "read";
// Config#loadConfigFile
permission java.util.PropertyPermission "user.dir", "read";
// Connecting to KDC (could be UDP)
permission java.net.SocketPermission "127.0.0.1:14234",
"accept,connect,resolve";
permission java.io.FilePermission "krb5.conf", "read";
permission java.security.SecurityPermission
"getProperty.krb5.kdc.bad.policy";
permission java.lang.RuntimePermission "accessDeclaredMembers";
permission java.lang.reflect.ReflectPermission
"suppressAccessChecks";
permission java.util.PropertyPermission
"sun.security.krb5.autodeducerealm", "read";
permission java.security.SecurityPermission
"putProviderProperty.SunJGSS";
permission java.security.SecurityPermission
"clearProviderProperties.SunJGSS";
permission java.security.SecurityPermission
"removeProviderProperty.SunJGSS";
permission javax.security.auth.AuthPermission "getSubject";
permission javax.security.auth.AuthPermission
"modifyPrivateCredentials";
permission javax.security.auth.PrivateCredentialPermission
"javax.security.auth.kerberos.KeyTab * \"*\"", "read";
permission javax.security.auth.PrivateCredentialPermission
"javax.security.auth.kerberos.KerberosTicket * \"*\"", "read";
permission javax.security.auth.PrivateCredentialPermission
"javax.security.auth.kerberos.KerberosKey * \"*\"", "read";
permission javax.security.auth.kerberos.ServicePermission
"server/localhost at REALM", "accept";
permission javax.security.auth.kerberos.ServicePermission
"backend/localhost at REALM", "accept";
permission javax.security.auth.kerberos.ServicePermission
"krbtgt/REALM at REALM", "initiate";
permission javax.security.auth.kerberos.ServicePermission
"server/localhost at REALM", "initiate";
permission javax.security.auth.kerberos.DelegationPermission
"\"server/localhost at REALM\" \"krbtgt/REALM at REALM\"";
permission java.io.FilePermission
"C:\\cygwin\\home\\ww155710\\tmp\\RR1\\W\\scratch\\ktab", "read";
permission javax.security.auth.kerberos.ServicePermission
"backend/localhost at REALM", "accept";
permission javax.security.auth.kerberos.ServicePermission
"backend/localhost at REALM", "initiate";
};
grant codeBase "jrt:/jdk.security.jgss" {
permission java.lang.RuntimePermission
"accessClassInPackage.sun.security.jgss";
permission com.sun.security.jgss.InquireSecContextPermission "*";
};
grant codeBase "jrt:/jdk.security.auth" {
permission javax.security.auth.AuthPermission
"modifyPrivateCredentials";
permission javax.security.auth.AuthPermission "modifyPrincipals";
permission java.util.PropertyPermission
"sun.security.krb5.principal", "read";
permission java.lang.RuntimePermission
"accessClassInPackage.sun.security.krb5";
permission java.lang.RuntimePermission
"accessClassInPackage.sun.security.jgss.krb5";
permission java.lang.RuntimePermission
"accessClassInPackage.sun.security.krb5.internal.ktab";
// resource bundle
permission java.lang.RuntimePermission
"accessClassInPackage.sun.security.util";
permission java.lang.RuntimePermission "getClassLoader";
};
Thanks
Max
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20160713/1ef67657/attachment.htm>
More information about the security-dev
mailing list