Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-4286238

exitVM security property not working

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: P4 P4
    • 1.4.0
    • 1.3.0
    • docs
    • beta2
    • generic, x86
    • solaris_7, windows_nt



      Name: sg39081 Date: 10/29/99


      It is my belief that this is a bug, as it allows code downloaded
      into an application to mount a DOS attack by simply killing the
      application. This is documented in the JDK API, but does not seem
      to work like the rest of the security checks.

      //In the code, I don't setup a security manager, as this is done
      //by specifying the java.security.manager property at the command
      //line.

      //Note: The JavaDoc for the JDK states in Runtime.exit() that:-
        "throws SecurityException - If a security manager is present and its
        checkExit method does not permit exiting with the specified status"

      This means that a call to System.exit(0) which merely delegates to
      Runtime.exit() should first check for the appropriate permissions and
      throw a security exception or AccessControlException if that permission
      does not exit.

         public static void main( String[] args ) throws Exception {
            //We could setup a security manager here, or do it on the
            //cmd line.
            //Example of doing it here.
            //System.setSecurityManager( new SecurityManager() );

            //This fails if the appropriate permission is left out of
            //mypolicy. The failure is an AccessControlException.
            System.getProperty("java.home", "not specified");
            //This should fail since that permission is not granted.
            System.exit( 0 );
         }

      //Here, we specify that the default security manager should be used, and
      //that the policies should include the "mypolicy" file.
      Cmd Line> java -Djava.security.policy=mypolicy -Djava.security.manager tests.SecurityTest

      //This is the policy file. Note the lack of a permission, namely,
      // permission java.lang.RuntimePermission "exitVM";
      //According to the docs, this should result in a security exception
      //being thrown when the appropriate System.exit() method is called.
      >policy file = mypolicy
      grant codeBase "file:/d:/work/java/-" {
        permission java.util.PropertyPermission "java.*", "read";
      };

      >java -version
      java version "1.3beta"
      Java(TM) 2 Runtime Environment, Standard Edition (build 1.3beta-O)
      Java(TM) HotSpot Client VM (build 1.3beta-O, mixed mode)

      >java -fullversion
      java full version "1.3beta-O"
      (Review ID: 96704)
      ======================================================================

            duke J. Duke
            sgoodsunw Sheri Good (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Created:
              Updated:
              Resolved:
              Imported:
              Indexed: