Mike Meyer wrote:
> Paul Rubin <http://[EMAIL PROTECTED]> writes:
>
>>>>That's not what privilege separation means. It means that the
>>>>privileged objects stay secure even when the unprivileged part of the
>>>>program is completely controlled by an attacker.
>>>
>>>In which case, what's "private" got to do with this? The examples I've
>>>seen of it don't give you privilege seperation any more than python does.
>>
>>If you have a java class instance with a private member that's (say) a
>>network socket to a special port, access to the port is controlled
>>entirely by that class.
>
>
> Are you sure? My understanding was that Java's introspection mechanism
> could be used to access private variables.
Yes, in a Java application with the default security manager it is trivial to
access a private variable of another class using introspection. For example:
/* HasPrivate.java */
public class HasPrivate {
private int myPrivate = 42;
}
/* HackPrivate.java */
import java.lang.reflect.Field;
public class HackPrivate {
public static void main(String[] argv) throws Exception {
HasPrivate hp = new HasPrivate();
Field notSoPrivate = hp.getClass().getDeclaredField("myPrivate");
notSoPrivate.setAccessible(true);
System.out.println("myPrivate = " + notSoPrivate.getInt(hp));
}
}
Kent
--
http://mail.python.org/mailman/listinfo/python-list
