Utility "jar" changes file permissions

Mon May 20 04:02:43 PDT 2013

On 05/20/2013 12:33 PM, Guillaume ALAUX wrote:
> Hello,
>
> When building OpenJDK 7u21 with Icedtea 2.3.9 (for Arch Linux) the
> following jar file gets wrong file permissions (not "go" readable):
>
> % ls -Ahl /usr/lib/jvm/java-7-openjdk/lib/sa-jdi.jar
> -rw------- 1 root root 2.5M May 15 08:33
> /usr/lib/jvm/java-7-openjdk/lib/sa-jdi.jar
>
> I found the "jar" utility has already had such issue as reported here [0] [1].
>
> I can reproduce the wrong behavior explained in Sun's bug report [1]:
>
> % touch newjar.jar
> % echo New >> newManifest
> % echo OneMore >> oneMoreManifest
>
> % jar -cfM0 newjar.jar newManifest
>
> % ls -l newjar.jar
> -rw-r--r-- 1 guillaume users 132 May 20 12:18 newjar.jar
>
> % jar uf newjar.jar oneMoreManifest
>
> % ls -l newjar.jar
> -rw------- 1 guillaume users 264 May 20 12:20 newjar.jar
>
> There is a unit test called UpdateJar.java in OpenJDK for that.
>
> Is it worth opening a bug report?
>
> [0] https://bugzilla.redhat.com/show_bug.cgi?id=855977
> [1] http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7175845
>
> Thanks!
>
> --
> Guillaume
>

Hi!

One of the recent (half an year ago?) security hardening patch changed api for temporal files to 
have just -rw------- permissions. Side effect of this is that when you update jar (jar -uf), it is 
passed through tmp file and so the permissions are restricted to -rw------- ... So from point of 
view this is correct behaviour. On the other hand, this is worthy of upstream (oracle) bug. As 
result of jar -u should have the same permissions as had original.

The fact that one of the JDK's jars have this permissions is that jdk compile and jar itself. So if 
somewhere is update of jar, then it changed to -rw------- ... Last time this was reported for 
java-access-bridge.jar and fixed in spec file by plain "chmod".

We can fix this in icedtea, but it will be just temporally workaround.

Hopes this helped.
   J.