Prevent privilege escalation through AccessController.doPrivileged()
tom.hawtin at oracle.com
Thu Jul 4 17:04:36 UTC 2013
On 04/07/2013 15:44, Florian Weimer wrote:
> Is there a way to prevent future calls to
> AccessController.doPrivileged() from the same thread from actually
> increasing privilege?
No. If the code has the relevant permissions it can call doPrivileged
together with the 1.0/1.1 legacy and new caller-sensitive methods. If
doPrivileged were blocked, things like class loading would break. And
wouldn't work for untrusted code as it could find some other thread to
run on (because of all the global state hanging around).
> Reducing these privileges with a separate class loader seems to be the
> official way to achieve that. Is there a way to get there without
> defining and installing your own (global) security manager.
ProtectionDomain is the way to assign permission to code (optionally,
since 1.4, through Policy). Typically you would need also to use a
separate class loader if instead of attempting "least privilege" you
really didn't trust the code (see, for instance, the "mixed-code fix"
which uses a pair of class loader for a single applet context). You
shouldn't need to use a custom security manager.
More information about the core-libs-dev