Alan.Bateman at oracle.com
Mon Apr 10 06:07:36 UTC 2017
On 09/04/2017 23:15, Robert Muir wrote:
> I dont agree with the use of the word ephemeral here, thats
> misleading. Those permissions are *not* needed for outgoing connections.
> The default security policy of java absolutely allows for backdoors in
> server applications. It does not matter if port number is 80 or 8000
> the effect is the same.
I think I said "bind" rather than "outgoing connection". If I'm granted
`SocketPermission "localhost:0", "listen"` then I would expect
`bind(null)` or `bind(new InetSocketAddress(0))` should succeed but I
wouldn't expect to be able to bind to a specific port.
In any case, the default permissions seem like a fine topic to bring to
security-dev. AFAIK the only change to the defaults for JDK 9 is that
`RuntimePermission "stopThread"` is dropped.
More information about the jigsaw-dev