Incomplete protection through ACL ownership

Anno Langen (anno@weblogic.com)
Fri, 19 Sep 1997 11:14:05 -0700

Date: Fri, 19 Sep 1997 11:14:05 -0700
From: anno@weblogic.com (Anno Langen)
To: java-security@web2.javasoft.com
Subject: Incomplete protection through ACL ownership

The API documentation for java.security.acl.Acl states:

The underlying intention appears to be to control access to access control. This intention is undermined by two flaws: First, the Group API has no corresponding protection for adding members.  Often, a perpetrator can find ACL entries that grant some group the coveted permission and then add himself as member to that group.  This modifies access control without directly modifying an ACL. Second, the method, entries, of the default implementation sun.security.AclImpl returns entries that can be used to modify the ACL.  Shouldn't modifying enumerated entries leave the ACL unaffected?

    Anno