[icedtea-web] RFC: reduce permissions on created files

Omair Majid omajid at redhat.com
Thu Nov 11 17:14:39 PST 2010 

Hi,

The attached patch tries to make files created by netx/plugin more 
secure by removing unnecessary permissions. IcedTea6 used to carry a 
patch to change the umask used by the javaws process which IcedTea-Web 
does not. This patch tries to make netx/plugin behave like they would in 
the presence of such a patch.

This patch does not change the file permissions on files that are cached 
(mostly because I dont see why they should be protected), but does 
change permissions on KeyStores, native directories created under /tmp/, 
lock files, files created through the JNLP api and log files.

ChangeLog:
2010-11-11  Omair Majid  <omajid at redhat.com>

     * netx/net/sourceforge/jnlp/util/FileUtils.java
     (restrictFile): New method. Removes extra permissions on a file.
     * netx/net/sourceforge/jnlp/Launcher.java
     (markNetxRunning): Do not grant unnecessary file permissions.
     * netx/net/sourceforge/jnlp/security/viewer/CertificatePane.java
     (ImportButtonListener.actionPerformed): Likewise.
     (RemoveButtonListener.actionPerformed): Likewise.
     * netx/net/sourceforge/jnlp/services/SingleInstanceLock.java
     (createWithPort): Likewise.
     (getLockFile): Likewise.
     * netx/net/sourceforge/jnlp/services/XExtendedService.java
     (openFile): Likewise.
     * netx/net/sourceforge/jnlp/services/XFileSaveService.java
     (writeToFile): Likewise.
     * netx/net/sourceforge/jnlp/services/XPersistenceService.java
     (create): Likewise.
     * netx/net/sourceforge/jnlp/util/XDesktopEntry.java
     (installDesktopLauncher): Likewise.
     * plugin/icedteanp/java/sun/applet/PluginMain.java
     (PluginMain): Likewise.

Any thoughts or comments?

Cheers,
Omair
-------------- next part --------------
A non-text attachment was scrubbed...
Name: icedtea-web-reduce-file-permissions.patch
Type: text/x-patch
Size: 13966 bytes
Desc: not available
Url : http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20101111/266629ee/icedtea-web-reduce-file-permissions.patch

More information about the distro-pkg-dev mailing list