By default, creates
new directories and files with the default permissions of the operating system
account that started the VM (the umask setting on Unix and Linux). You can
configure to override
those default permissions and to restrict access to just that account. If you
configure this way,
only that account can access the directories and files created by
. You can configure this extra protection by setting the
following system property, either on the VM command line or in
derby.properties:
derby.storage.useDefaultFilePermissions=false
For more information, see "derby.storage.useDefaultFilePermissions" in
the .
If you set this property, other operating system accounts will have no access
to directories or files created by
. This behavior can be
helpful in enhancing default security for database files.
The exact behavior is determined by two factors: how the
engine is started, and
the presence or absence and specified value of the property
derby.storage.useDefaultFilePermissions.
The following table shows how file access works. In this table,
- "Environment" means that access is controlled entirely by the JVM
environment and the file location only (that is, by the umask setting on UNIX
and Linux systems and by the default file permissions on Windows NTFS).
- "Restricted" means that
restricts access to the
operating system account that started the JVM.
The following table shows how file access works
with various settings of the
derby.storage.useDefaultFilePermissions property.
File access
This table shows how access to files is controlled.
Property Setting
Server Started from Command Line
Server Started Programmatically or Embedded
No property specified
Restricted
Environment
Property set to true
Environment
Environment
Property set to false
Restricted
Restricted