Incomplete protection through ACL ownership
Anno Langen (anno@weblogic.com)
Fri, 19 Sep 1997 11:14:05 -0700
Date: Fri, 19 Sep 1997 11:14:05 -0700
From: anno@weblogic.com (Anno Langen)
To: java-security@web2.javasoft.com
Subject: Incomplete protection through ACL ownership
The API documentation for java.security.acl.Acl states:
The java.security.acl.Acl interface extends the
java.security.acl.Owner interface. The Owner interface is used to maintain
a list of owners for each ACL. Only owners are allowed to modify an ACL.
The underlying intention appears to be to control
access to access control. This intention is undermined by two flaws: First,
the Group API has no corresponding protection for adding members.
Often, a perpetrator can find ACL entries that grant some group the coveted
permission and then add himself as member to that group. This modifies
access control without directly modifying an ACL. Second, the method, entries,
of the default implementation sun.security.AclImpl returns entries that
can be used to modify the ACL. Shouldn't modifying enumerated entries
leave the ACL unaffected?
Anno