Security Manager equivalent of the "setuid" bit

[erelsgl]

Hi,

I am working on an application where users can upload custom Javscript code, and my server runs this code (using the Rhino Script Engine). Of course I run the custom code under a very strict SecurityManager, to prevent the users from damaging my server. I don't allow any access to sockets, files, etc.

However, I do want to allow them to run some privileged actions in a limited way, for example, an action such as "readFactFromDatabase(a,b,c)" should go to a specific table in the database and read a specific row. This action cannot run under the strict SecurityManager because it uses sockets and files.

I need a mechanism that is similar to the "setuid" bit in Linux - something that allows a thread under some SecurityManager to run specific actions as if it had no SecurityManager.

I hope I explained myself correctly...

[JosAH]

Make your SecurityManager switchable; i.e. when switched to false it allows everything, while being switched to true it does the checks it normally does. Ordinary code doesn't know about your switchable SecurityManager, only your code does and it switches it to false when it needs to.

kind regards,

Jos

[erelsgl]

Great idea, thanks!

But what if my system is open source? In this case, everyone will know the name of the switch field, and will be able to change it!

[JosAH]

Great idea, thanks!

But what if my system is open source? In this case, everyone will know the name of the switch field, and will be able to change it!

If you code is open source everybody can define their own SecurityManager that allows everything and install it; all bets are off then ...

kind regards,

Jos

[erelsgl]

I don't care if someones download the code, install it on their own servers, and change the security manager.

I only care about the code that I installed on my own server - I don't want that users who submit code will be able to disable the security manager.

Ah, but now I have an idea - use a custom configuration file with a "password" for disabling the security manager, such that every sysadmin that installs the code will set his/her own password. I have to try this.

[erelsgl]

Make your SecurityManager switchable; i.e. when switched to false it allows everything, while being switched to true it does the checks it normally does. Ordinary code doesn't know about your switchable SecurityManager, only your code does and it switches it to false when it needs to.

I spotted a problem in this solution - the user can use reflection to get all the methods of the current security manager, and try them one by one, until he finds a method that switches it off!