[icedtea-web] RFC: reduce permissions on created files
Deepak Bhole
dbhole at redhat.com
Wed Nov 24 10:41:44 PST 2010
* Omair Majid <omajid at redhat.com> [2010-11-23 14:54]:
> On 11/22/2010 03:31 PM, Deepak Bhole wrote:
> >* Omair Majid<omajid at redhat.com> [2010-11-12 09:46]:
> >>On 11/12/2010 06:54 AM, Dr Andrew John Hughes wrote:
> >>>On 20:14 Thu 11 Nov , Omair Majid wrote:
> >>>>Hi,
> >>>>
> >>>>The attached patch tries to make files created by netx/plugin more
> >>>>secure by removing unnecessary permissions. IcedTea6 used to carry a
> >>>>patch to change the umask used by the javaws process which IcedTea-Web
> >>>>does not. This patch tries to make netx/plugin behave like they would in
> >>>>the presence of such a patch.
> >>>>
> >>>>This patch does not change the file permissions on files that are cached
> >>>>(mostly because I dont see why they should be protected), but does
> >>>>change permissions on KeyStores, native directories created under /tmp/,
> >>>>lock files, files created through the JNLP api and log files.
> >>>>
> >>>
> >>>I think this is a better approach, though we should be aware that the permissions
> >>>are now changed after the file has been created, whereas before (I presume) they
> >>>were created with the correct permissions to begin with.
> >>>
> >>
> >>Hm... Does creating a new (blank) file, setting appropriate
> >>permissions on it and then writing content to it ensure that the
> >>content can not be seen by others? This was the original intent with
> >>this patch (I have since noticed one mistake in the patch). If
> >>creating a blank file, setting permissions on it and then writing
> >>actual content does not ensure the confidentiality of the data, then
> >>I would like to find another way to accomplish this.
> >>
> >>Thanks for looking over the patch.
> >>
> >
> >Good point Andrew! This patch needs to be modified. If a file is created
> >with og+[r|w|x] and then restricted, anything that opened the handle
> >before the change will have the permissions it did when the handle was
> >opened. We need to create the file under a different (temp) name, change
> >permissions, and then move it. AFAIK that shouldn't allow access.
> >
> >Access bypass can be verified as follows:
> >1. Create a file as one user (A), allow a+r
> >2. tail -f that file as another user (B)
> >3. As A, og-rwx the file
> >4. As A, write to the file
> >
> >The tail -f command from #2 will show the output, thus confirming that
> >user B has access when they shouldn't.
> >
> >tail -f no longer gets the info if the file is renamed to something else
> >between step 3 and 4.
> >
>
> Thanks for the name change idea. The attached patch implements it. Thoughts?
>
Looks good! Once suggestion though -- it might be helpful for
debugging/catching errors more easily if the exceptions thrown in
createRestrictedFile() printed the file name along with the message.
Also, the message should be in the message properties file imo, as users
might encounter this more frequently if they set the wrong values.
After above changes, okay for 1.0, please push to HEAD.
Cheers,
Deepak
> Cheers,
> Omair
> diff -r dd77da50a226 netx/net/sourceforge/jnlp/Launcher.java
> --- a/netx/net/sourceforge/jnlp/Launcher.java Tue Nov 23 10:05:06 2010 -0500
> +++ b/netx/net/sourceforge/jnlp/Launcher.java Tue Nov 23 13:50:30 2010 -0500
> @@ -48,6 +48,7 @@
> import net.sourceforge.jnlp.runtime.JNLPRuntime;
> import net.sourceforge.jnlp.services.InstanceExistsException;
> import net.sourceforge.jnlp.services.ServiceUtil;
> +import net.sourceforge.jnlp.util.FileUtils;
> import net.sourceforge.jnlp.util.Reflect;
>
> import javax.swing.SwingUtilities;
> @@ -728,21 +729,13 @@
> File netxRunningFile = new File(JNLPRuntime.getConfiguration()
> .getProperty(DeploymentConfiguration.KEY_USER_NETX_RUNNING_FILE));
> netxRunningFile.getParentFile().mkdirs();
> - if (netxRunningFile.createNewFile()) {
> - FileOutputStream fos = new FileOutputStream(netxRunningFile);
> - try {
> - fos.write(message.getBytes());
> - } finally {
> - fos.close();
> - }
> - }
>
> - if (!netxRunningFile.isFile()) {
> - if (JNLPRuntime.isDebug()) {
> - System.err.println("Unable to create instance file");
> - }
> - fileLock = null;
> - return;
> + FileUtils.createRestrictedFile(netxRunningFile, true);
> + FileOutputStream fos = new FileOutputStream(netxRunningFile);
> + try {
> + fos.write(message.getBytes());
> + } finally {
> + fos.close();
> }
>
> FileInputStream is = new FileInputStream(netxRunningFile);
> diff -r dd77da50a226 netx/net/sourceforge/jnlp/resources/Messages.properties
> --- a/netx/net/sourceforge/jnlp/resources/Messages.properties Tue Nov 23 10:05:06 2010 -0500
> +++ b/netx/net/sourceforge/jnlp/resources/Messages.properties Tue Nov 23 13:50:30 2010 -0500
> @@ -153,7 +153,6 @@
> BOHeadless = Disables download window, other UIs.
> BOStrict = Enables strict checking of JNLP file format.
> BOViewer = Shows the trusted certificate viewer.
> -BOUmask = Sets the umask for files created by an application.
> BXnofork = Do not create another JVM.
> BXclearcache= Clean the JNLP application cache.
> BOHelp = Print this message and exit.
> diff -r dd77da50a226 netx/net/sourceforge/jnlp/runtime/Boot.java
> --- a/netx/net/sourceforge/jnlp/runtime/Boot.java Tue Nov 23 10:05:06 2010 -0500
> +++ b/netx/net/sourceforge/jnlp/runtime/Boot.java Tue Nov 23 13:50:30 2010 -0500
> @@ -106,7 +106,6 @@
> + " -noupdate "+R("BONoupdate")+"\n"
> + " -headless "+R("BOHeadless")+"\n"
> + " -strict "+R("BOStrict")+"\n"
> - + " -umask=value "+R("BOUmask")+"\n"
> + " -Xnofork "+R("BXnofork")+"\n"
> + " -Xclearcache "+R("BXclearcache")+"\n"
> + " -help "+R("BOHelp")+"\n";
> diff -r dd77da50a226 netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java
> --- a/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java Tue Nov 23 10:05:06 2010 -0500
> +++ b/netx/net/sourceforge/jnlp/runtime/JNLPClassLoader.java Tue Nov 23 13:50:30 2010 -0500
> @@ -815,7 +815,9 @@
> nativeDir = getNativeDir();
>
> File outFile = new File(nativeDir, name);
> -
> + if (!outFile.isFile()) {
> + FileUtils.createRestrictedFile(outFile, true);
> + }
> CacheUtil.streamCopy(jarFile.getInputStream(e),
> new FileOutputStream(outFile));
>
> @@ -837,12 +839,18 @@
> + File.separator + "netx-native-"
> + (new Random().nextInt() & 0xFFFF));
>
> - if (!nativeDir.mkdirs())
> + File parent = nativeDir.getParentFile();
> + if (!parent.isDirectory() && !parent.mkdirs()) {
> return null;
> - else {
> + }
> +
> + try {
> + FileUtils.createRestrictedDirectory(nativeDir);
> // add this new native directory to the search path
> addNativeDirectory(nativeDir);
> return nativeDir;
> + } catch (IOException e) {
> + return null;
> }
> }
>
> diff -r dd77da50a226 netx/net/sourceforge/jnlp/runtime/JNLPRuntime.java
> --- a/netx/net/sourceforge/jnlp/runtime/JNLPRuntime.java Tue Nov 23 10:05:06 2010 -0500
> +++ b/netx/net/sourceforge/jnlp/runtime/JNLPRuntime.java Tue Nov 23 13:50:30 2010 -0500
> @@ -304,12 +304,15 @@
> .getProperty(DeploymentConfiguration.KEY_ENABLE_LOGGING));
> if (redirectStreams || enableLogging) {
> String logDir = config.getProperty(DeploymentConfiguration.KEY_USER_LOG_DIR);
> - File errFile = new File(logDir, JNLPRuntime.STDERR_FILE);
> - errFile.getParentFile().mkdirs();
> - File outFile = new File(logDir, JNLPRuntime.STDOUT_FILE);
> - outFile.getParentFile().mkdirs();
>
> try {
> + File errFile = new File(logDir, JNLPRuntime.STDERR_FILE);
> + errFile.getParentFile().mkdirs();
> + FileUtils.createRestrictedFile(errFile, true);
> + File outFile = new File(logDir, JNLPRuntime.STDOUT_FILE);
> + outFile.getParentFile().mkdirs();
> + FileUtils.createRestrictedFile(outFile, true);
> +
> if (redirectStreams) {
> System.setErr(new PrintStream(new FileOutputStream(errFile)));
> System.setOut(new PrintStream(new FileOutputStream(outFile)));
> diff -r dd77da50a226 netx/net/sourceforge/jnlp/security/CertWarningPane.java
> --- a/netx/net/sourceforge/jnlp/security/CertWarningPane.java Tue Nov 23 10:05:06 2010 -0500
> +++ b/netx/net/sourceforge/jnlp/security/CertWarningPane.java Tue Nov 23 13:50:30 2010 -0500
> @@ -47,6 +47,7 @@
> import java.awt.GridLayout;
> import java.awt.event.ActionEvent;
> import java.awt.event.ActionListener;
> +import java.io.File;
> import java.io.FileOutputStream;
> import java.io.OutputStream;
> import java.security.KeyStore;
> @@ -68,6 +69,7 @@
> import net.sourceforge.jnlp.security.KeyStores.Level;
> import net.sourceforge.jnlp.security.KeyStores.Type;
> import net.sourceforge.jnlp.security.SecurityWarning.AccessType;
> +import net.sourceforge.jnlp.util.FileUtils;
>
> /**
> * Provides the panel for using inside a SecurityWarningDialog. These dialogs are
> @@ -246,7 +248,12 @@
> KeyStore ks = KeyStores.getKeyStore(Level.USER, Type.CERTS);
> X509Certificate c = (X509Certificate) parent.getJarSigner().getPublisher();
> CertificateUtils.addToKeyStore(c, ks);
> - OutputStream os = new FileOutputStream(KeyStores.getKeyStoreLocation(Level.USER, Type.CERTS));
> + File keyStoreFile = new File(KeyStores.getKeyStoreLocation(Level.USER, Type.CERTS));
> + if (!keyStoreFile.isFile()) {
> + FileUtils.createRestrictedFile(keyStoreFile, true);
> + }
> +
> + OutputStream os = new FileOutputStream(keyStoreFile);
> ks.store(os, KeyStores.getPassword());
> if (JNLPRuntime.isDebug()) {
> System.out.println("certificate is now permanently trusted");
> diff -r dd77da50a226 netx/net/sourceforge/jnlp/security/KeyStores.java
> --- a/netx/net/sourceforge/jnlp/security/KeyStores.java Tue Nov 23 10:05:06 2010 -0500
> +++ b/netx/net/sourceforge/jnlp/security/KeyStores.java Tue Nov 23 13:50:30 2010 -0500
> @@ -53,6 +53,7 @@
> import net.sourceforge.jnlp.runtime.DeploymentConfiguration;
> import net.sourceforge.jnlp.runtime.JNLPRuntime;
> import net.sourceforge.jnlp.runtime.Translator;
> +import net.sourceforge.jnlp.util.FileUtils;
>
> /**
> * The <code>KeyStores</code> class allows easily accessing the various KeyStores
> @@ -339,6 +340,8 @@
> if (!parent.isDirectory() && !parent.mkdirs()) {
> throw new IOException("unable to create " + parent);
> }
> + FileUtils.createRestrictedFile(file, true);
> +
> ks = KeyStore.getInstance(KEYSTORE_TYPE);
> ks.load(null, password.toCharArray());
> FileOutputStream fos = new FileOutputStream(file);
> diff -r dd77da50a226 netx/net/sourceforge/jnlp/security/viewer/CertificatePane.java
> --- a/netx/net/sourceforge/jnlp/security/viewer/CertificatePane.java Tue Nov 23 10:05:06 2010 -0500
> +++ b/netx/net/sourceforge/jnlp/security/viewer/CertificatePane.java Tue Nov 23 13:50:30 2010 -0500
> @@ -45,6 +45,7 @@
> import java.awt.event.ActionEvent;
> import java.awt.event.ActionListener;
> import java.awt.event.KeyEvent;
> +import java.io.File;
> import java.io.FileOutputStream;
> import java.io.OutputStream;
> import java.io.PrintStream;
> @@ -76,6 +77,7 @@
> import net.sourceforge.jnlp.security.SecurityUtil;
> import net.sourceforge.jnlp.security.SecurityWarningDialog;
> import net.sourceforge.jnlp.security.KeyStores.Level;
> +import net.sourceforge.jnlp.util.FileUtils;
>
> public class CertificatePane extends JPanel {
>
> @@ -361,8 +363,13 @@
> try {
> KeyStore ks = keyStore;
> CertificateUtils.addToKeyStore(chooser.getSelectedFile(), ks);
> - OutputStream os = new FileOutputStream(
> - KeyStores.getKeyStoreLocation(currentKeyStoreLevel, currentKeyStoreType));
> + File keyStoreFile = new File(KeyStores
> + .getKeyStoreLocation(currentKeyStoreLevel, currentKeyStoreType));
> + if (!keyStoreFile.isFile()) {
> + FileUtils.createRestrictedFile(keyStoreFile, true);
> + }
> +
> + OutputStream os = new FileOutputStream(keyStoreFile);
> ks.store(os, KeyStores.getPassword());
> repopulateTables();
> } catch (Exception ex) {
> @@ -436,8 +443,12 @@
> JOptionPane.YES_NO_OPTION);
> if (i == 0) {
> keyStore.deleteEntry(alias);
> - FileOutputStream fos = new FileOutputStream(
> - KeyStores.getKeyStoreLocation(currentKeyStoreLevel, currentKeyStoreType));
> + File keyStoreFile = new File(KeyStores
> + .getKeyStoreLocation(currentKeyStoreLevel, currentKeyStoreType));
> + if (!keyStoreFile.isFile()) {
> + FileUtils.createRestrictedFile(keyStoreFile, true);
> + }
> + FileOutputStream fos = new FileOutputStream(keyStoreFile);
> keyStore.store(fos, KeyStores.getPassword());
> fos.close();
> }
> diff -r dd77da50a226 netx/net/sourceforge/jnlp/services/SingleInstanceLock.java
> --- a/netx/net/sourceforge/jnlp/services/SingleInstanceLock.java Tue Nov 23 10:05:06 2010 -0500
> +++ b/netx/net/sourceforge/jnlp/services/SingleInstanceLock.java Tue Nov 23 13:50:30 2010 -0500
> @@ -67,6 +67,7 @@
> */
> public void createWithPort(int localPort) throws IOException {
>
> + FileUtils.createRestrictedFile(lockFile, true);
> BufferedWriter lockFileWriter = new BufferedWriter(new FileWriter(lockFile, false));
> lockFileWriter.write(String.valueOf(localPort));
> lockFileWriter.newLine();
> @@ -132,9 +133,17 @@
> File baseDir = new File(JNLPRuntime.getConfiguration()
> .getProperty(DeploymentConfiguration.KEY_USER_LOCKS_DIR));
>
> - if (!baseDir.isDirectory() && !baseDir.mkdirs()) {
> - throw new RuntimeException(R("RNoLockDir", baseDir));
> + if (!baseDir.isDirectory()) {
> + if (!baseDir.getParentFile().isDirectory() && !baseDir.getParentFile().mkdirs()) {
> + throw new RuntimeException(R("RNoLockDir", baseDir));
> + }
> + try {
> + FileUtils.createRestrictedDirectory(baseDir);
> + } catch (IOException e) {
> + throw new RuntimeException(R("RNoLockDir", baseDir));
> + }
> }
> +
> String lockFileName = getLockFileName();
> File applicationLockFile = new File(baseDir, lockFileName);
> return applicationLockFile;
> diff -r dd77da50a226 netx/net/sourceforge/jnlp/services/XFileSaveService.java
> --- a/netx/net/sourceforge/jnlp/services/XFileSaveService.java Tue Nov 23 10:05:06 2010 -0500
> +++ b/netx/net/sourceforge/jnlp/services/XFileSaveService.java Tue Nov 23 13:50:30 2010 -0500
> @@ -44,6 +44,7 @@
> import javax.jnlp.*;
>
> import net.sourceforge.jnlp.security.SecurityWarning.AccessType;
> +import net.sourceforge.jnlp.util.FileUtils;
>
> import javax.swing.JFileChooser;
> import javax.swing.JOptionPane;
> @@ -121,7 +122,7 @@
> if (!replace)
> return;
> } else {
> - file.createNewFile();
> + FileUtils.createRestrictedFile(file, true);
> }
>
> if (file.canWrite()) {
> diff -r dd77da50a226 netx/net/sourceforge/jnlp/services/XPersistenceService.java
> --- a/netx/net/sourceforge/jnlp/services/XPersistenceService.java Tue Nov 23 10:05:06 2010 -0500
> +++ b/netx/net/sourceforge/jnlp/services/XPersistenceService.java Tue Nov 23 13:50:30 2010 -0500
> @@ -26,6 +26,7 @@
> import net.sourceforge.jnlp.*;
> import net.sourceforge.jnlp.cache.*;
> import net.sourceforge.jnlp.runtime.*;
> +import net.sourceforge.jnlp.util.FileUtils;
>
> /**
> * The BasicService JNLP service.
> @@ -96,9 +97,11 @@
> File file = toCacheFile(location);
> file.getParentFile().mkdirs();
>
> - if (!file.createNewFile())
> + if (!file.exists())
> throw new IOException("File already exists.");
>
> + FileUtils.createRestrictedFile(file, true);
> +
> return maxsize;
> }
>
> diff -r dd77da50a226 netx/net/sourceforge/jnlp/util/FileUtils.java
> --- a/netx/net/sourceforge/jnlp/util/FileUtils.java Tue Nov 23 10:05:06 2010 -0500
> +++ b/netx/net/sourceforge/jnlp/util/FileUtils.java Tue Nov 23 13:50:30 2010 -0500
> @@ -18,6 +18,7 @@
>
> import java.io.File;
> import java.io.IOException;
> +import java.util.Random;
>
> import net.sourceforge.jnlp.runtime.JNLPRuntime;
>
> @@ -72,6 +73,79 @@
> }
>
> /**
> + * Creates a new directory with minimum permissions. The directory is not
> + * readable or writable by anyone other than the owner. The parent
> + * directories are not created; they must exist before this is called.
> + *
> + * @throws IOException
> + */
> + public static void createRestrictedDirectory(File directory) throws IOException {
> + createRestrictedFile(directory, true, true);
> + }
> +
> + /**
> + * Creates a new file with minimum permissions. The file is not readable or
> + * writable by anyone other than the owner. If writeableByOnwer is false,
> + * even the owner can not write to it.
> + *
> + * @throws IOException
> + */
> + public static void createRestrictedFile(File file, boolean writableByOwner) throws IOException {
> + createRestrictedFile(file, false, writableByOwner);
> + }
> +
> + /**
> + * Creates a new file or directory with minimum permissions. The file is not
> + * readable or writable by anyone other than the owner. If writeableByOnwer
> + * is false, even the owner can not write to it. If isDir is true, then the
> + * directory can be executed by the owner
> + *
> + * @throws IOException
> + */
> + private static void createRestrictedFile(File file, boolean isDir, boolean writableByOwner) throws IOException {
> +
> + File tempFile = null;
> +
> + tempFile = new File(file.getCanonicalPath() + ".temp");
> +
> + if (isDir) {
> + if (!tempFile.mkdir()) {
> + throw new IOException("unable to create directory");
> + }
> + } else {
> + if (!tempFile.createNewFile()) {
> + throw new IOException("Unable to create file");
> + }
> + }
> +
> + // remove all permissions
> + tempFile.setExecutable(false, false);
> + tempFile.setReadable(false, false);
> + tempFile.setWritable(false, false);
> +
> + // allow owner to read
> + tempFile.setReadable(true, true);
> +
> + // allow owner to write
> + if (writableByOwner) {
> + tempFile.setWritable(true, true);
> + }
> +
> + // allow owner to enter directories
> + if (isDir) {
> + tempFile.setExecutable(true, true);
> + }
> +
> + // rename this file. Unless the file is moved/renamed, any program that
> + // opened the file right after it was created might still be able to
> + // read the data.
> + if (!tempFile.renameTo(file)) {
> + throw new IOException("Unable to rename file");
> + }
> +
> + }
> +
> + /**
> * Returns a String that is suitable for using in GUI elements for
> * displaying (long) paths to users.
> *
> diff -r dd77da50a226 netx/net/sourceforge/jnlp/util/XDesktopEntry.java
> --- a/netx/net/sourceforge/jnlp/util/XDesktopEntry.java Tue Nov 23 10:05:06 2010 -0500
> +++ b/netx/net/sourceforge/jnlp/util/XDesktopEntry.java Tue Nov 23 13:50:30 2010 -0500
> @@ -142,6 +142,9 @@
> if (!shortcutFile.getParentFile().isDirectory() && !shortcutFile.getParentFile().mkdirs()) {
> throw new IOException(shortcutFile.getParentFile().toString());
> }
> +
> + FileUtils.createRestrictedFile(shortcutFile, true);
> +
> /*
> * Write out a Java String (UTF-16) as a UTF-8 file
> */
More information about the distro-pkg-dev
mailing list