I see it as a straight lift of the unix feature setuid.
Source : Wiki
When an executable file has been given the
setuid attribute, normal users on the system who have permission to execute this file gain the privileges of the user who owns the file within the created process.
For example the passwd executable.
Inorder for any user to change password one has to get access to the password file and modify its contents corresponding to this user.And its not feasible to give any user write permissions to the password file.
Solution :
A passwd executable owned by root is assigned setuid attribute and this is trusted code.Any non-root user who wants to change is password invokes 'passwd' executable.A process is spawned with its effective userid 'root' as the passwd executable has its setuid set.
Same is the case with AccessController.doPriviledged.
This is my trusted code and have given it permissions to change a file named 'security.txt'
class Trusted{
public static void modify(){
//code to access and modify security.txt file
}
}
UntrustedCode with no FilePermissions but need to modify security.txt
class UnTrusted {
public static void modifythroughuntrusted(){
Trusted.modify();
}
}
When the above UnTrustedCode is executed there is a security exception raised.Let us examine the call stack,
UnTrusted.modifythroughuntrusted ---> Trusted.
modify ---> FilerelatedOperation which calls securitymanager to look if the current thread of execution has the required permissions to do so.
check 1 ) Trusted. modify ---> has file permission --- true
check 1 ) Trusted. modify ---> has file permission --- false
Hence we receive SecurityException.
Modify the code TrustedClass code
class Trusted{
public static void modify(){
AccessController.doPriviledged( new PriviledgedAction(){
public void run(){
//code to access and modify security.txt file
}
}
}
}
After this modification the unTrustedCode will be able to modify the security.txt file, though it does not have the required filepermission.
Let us examine the call stack again
UnTrusted.modifythroughuntrusted ---> Trusted. modify ---> FilerelatedOperation which calls securitymanager to look if the current thread of execution has the required permissions to do so.
check 1 ) Trusted. modify ---> has file permission --- true & this is marked priviledged so will not check the further callstack for permission and returns, allowing the code to proceed further.
---look this section for additions ---
No comments:
Post a Comment