Bug 214124 - [config] Need to use doPrivileged when accessing config store
Summary: [config] Need to use doPrivileged when accessing config store
Status: RESOLVED FIXED
Alias: None
Product: Equinox
Classification: Eclipse Project
Component: Incubator (show other bugs)
Version: 3.4   Edit
Hardware: All All
: P3 normal (vote)
Target Milestone: 3.4 M5   Edit
Assignee: equinox.incubator-inbox CLA
QA Contact:
URL:
Whiteboard:
Keywords: contributed
Depends on:
Blocks:
 
Reported: 2008-01-02 11:04 EST by Simon Kaegi CLA
Modified: 2008-01-16 13:26 EST (History)
2 users (show)

See Also:

Attachments
Possible fix to the security problem (3.50 KB, patch)
2008-01-02 11:57 EST, Mike Mansell CLA 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Simon Kaegi CLA 2008-01-02 11:04:46 EST 
From Mike Mansell:

I was doing some experimental work with Equinox and the incubator Config Admin service and running under a Security Manager. I found that a bundle that has restricted permissions incorrectly fails when manipulating configuration data.

Basically, if Bundle A has only permission to get the ConfigurationAdmin service and CONFIGURE permissions

ie.

( org.osgi.framework.ServicePermission "org.osgi.service.cm.ConfigurationAdmin" "GET" )
( org.osgi.service.cm.ConfigurationPermission "*" "CONFIGURE" )

Then, it's able to get the Configuration object, but when it attempts to update it, there is a permission failure within the Config Admin. Specifically, when it attempts to access the file system to write the updated properties, (ie. java.io.File access) the normal AccessController verifies that both the Config Admin AND Bundle A have the permission to access the file. Bundle A's permissions should have no bearing on this as the fact that it's a File store is internal to this implementation of the Config Admin.
Comment 1 Mike Mansell CLA 2008-01-02 11:57:44 EST 
Created attachment 85996 [details]
Possible fix to the security problem

I've walked through the different 'public' access points to the Config Admin service, and found that there are only 3 places that need to have a minor change. Basically, anywhere that the ConfigurationStore is accessed from public APIs and attempt to change the permanent store (which is only within ConfigurationImpl). These 3 places need to have a AccessController.doPriviledged() wrapper added to stop the AccessController from checking permissions beyond the Config Admin (ie. prevent it from checking Bundle A).

This patch contains those changes.
Comment 2 Simon Kaegi CLA 2008-01-16 10:49:21 EST 
I've checked a fix into HEAD.
I restricted the privileged section just to the configuration store but otherwise it should perform correctly.

This passes the unit tests however I I have not had a chance to test this properly with a SecurityManager in place similar to what you describe so I'm hesitant to mark FIXED.

Mike, could you try the version from HEAD to confirm?
Comment 3 Thomas Watson CLA 2008-01-16 11:04:25 EST 
Adding contributed key word.  Simon, I assume you based the fix off the contributed fix from Mike?
Comment 4 Mike Mansell CLA 2008-01-16 12:03:26 EST 
I've checked out the latest, and yes, it does work in my SecurityManager. I don't have a test case for delete, but the update works great.
Comment 5 Simon Kaegi CLA 2008-01-16 13:26:14 EST 
re: contributed
Yes. Thanks for the patch Mike.