Restricting file permissions

Additional file protections are available on some file systems, including Windows NTFS, Unix, and Linux. If you are running a Java 7 or higher VM, you can configure Derby to take advantage of these extra file protections.

By default, Derby creates new directories and files with the default permissions of the operating system account that started the VM (the umask setting on Unix and Linux). You can configure Derby to override those default permissions and to restrict access to just that account. If you configure Derby this way, only that account can access the directories and files created by Derby. If you are running on a Java 7 or higher VM, you can configure this extra protection by setting the following system property, either on the VM command line or in derby.properties:

derby.storage.useDefaultFilePermissions=false

For more information, see "derby.storage.useDefaultFilePermissions" in the Derby Reference Manual.

If you set this property, other operating system accounts will have no access to directories or files created by Derby. This behavior can be helpful in enhancing default security for database files.

The exact behavior is determined by two factors: how the Derby engine is started, and the presence or absence and specified value of the property derby.storage.useDefaultFilePermissions.

The two tables that follow show how file access works with Java SE 7 and later JVMs and with Java SE 6. In both tables,

The following table shows how file access works on Java SE 7 and later systems with various settings of the derby.storage.useDefaultFilePermissions property.

Table 1. File access on Java SE 7 and later systems
Property Setting Server Started from Command Line Server Started Programmatically or Embedded
No property specified Restricted Environment
Property set to true Environment Environment
Property set to false Restricted Restricted

The following table shows how file access works on Java SE 6 systems.

Table 2. File access on Java SE 6 systems
Property Setting Server Started from Command Line Server Started Programmatically or Embedded
Not applicable Environment Environment

If you are running on a Java 6 or earlier VM, then you may want to adjust your account's default file permissions before using Derby.

Related concepts
Basic security configuration tasks
Configuring database encryption
Using signed jar files
Configuring SSL/TLS
Understanding identity in Derby
Configuring user authentication
Configuring user authorization
Configuring Java security
Putting it all together