JDK-8043296 : De-privilege DNS name service provider
  • Type: Bug
  • Component: core-libs
  • Sub-Component: java.net
  • Affected Version: 9
  • Priority: P3
  • Status: Resolved
  • Resolution: Not an Issue
  • Submitted: 2014-05-16
  • Updated: 2016-05-20
  • Resolved: 2016-05-20
Related Reports
Relates :  
JDK-8065419 - Update java/net tests to eliminate dependency on sun.net.spi.nameservice.NameService ���sun.net.spi.nameservice.NameServiceDescriptor and sun.management.VMManagement
Relates :  
JDK-8134577 - Eliminate or standardize a replacement for sun.net.spi.nameservice.NameServiceDescriptor
Description
DNS name service provider is installed in the extension directory and currently granted with AllPermission.   A service provider implementation should need SocketPermission and not need AllPermission.

The prototype to change the permissions for dnsns.jar uncovers a circular problem in networking security when performing a security check, SocketPermission will first resolve a name to get the IP address.  When there is a DNS nameservice provider not with AllPermission, checking the SocketPermission will iterate each name service provider to get address (in this case it's the DNSNameService) that triggers another socket permission check. When it used to have AllPermission, the socket permission check was fast-path and I think it's the first time running into this problem when we change the permissions for dnsns.jar.

This is to follow up to evaluate the permissions required by DNS name service provider.
Comments
this should not be an issue now ... it's been removed
20-05-2016
JDK-8134577 removed the JNDI DNS NameService provider. In fact, the NameService service type has also been removed. Is this issue still relevant, or can it be closed out?
19-05-2016
This issue is in open status, but still unassigned. Could you specify an assignee?
15-12-2014