Utility "jar" changes file permissions

Jiri Vanek jvanek at redhat.com
Mon May 20 05:49:44 PDT 2013 

On 05/20/2013 02:42 PM, Guillaume ALAUX wrote:
> On 20 May 2013 13:02, Jiri Vanek <jvanek at redhat.com> wrote:
>> On 05/20/2013 12:33 PM, Guillaume ALAUX wrote:
>>>
>>> Hello,
>>>
>>> When building OpenJDK 7u21 with Icedtea 2.3.9 (for Arch Linux) the
>>> following jar file gets wrong file permissions (not "go" readable):
>>>
>>> % ls -Ahl /usr/lib/jvm/java-7-openjdk/lib/sa-jdi.jar
>>> -rw------- 1 root root 2.5M May 15 08:33
>>> /usr/lib/jvm/java-7-openjdk/lib/sa-jdi.jar
>>>
>>> I found the "jar" utility has already had such issue as reported here [0]
>>> [1].
>>>
>>> I can reproduce the wrong behavior explained in Sun's bug report [1]:
>>>
>>> % touch newjar.jar
>>> % echo New >> newManifest
>>> % echo OneMore >> oneMoreManifest
>>>
>>> % jar -cfM0 newjar.jar newManifest
>>>
>>> % ls -l newjar.jar
>>> -rw-r--r-- 1 guillaume users 132 May 20 12:18 newjar.jar
>>>
>>> % jar uf newjar.jar oneMoreManifest
>>>
>>> % ls -l newjar.jar
>>> -rw------- 1 guillaume users 264 May 20 12:20 newjar.jar
>>>
>>> There is a unit test called UpdateJar.java in OpenJDK for that.
>>>
>>> Is it worth opening a bug report?
>>>
>>> [0] https://bugzilla.redhat.com/show_bug.cgi?id=855977
>>> [1] http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7175845
>>>
>>> Thanks!
>>>
>>> --
>>> Guillaume
>>>
>>
>> Hi!
>>
>> One of the recent (half an year ago?) security hardening patch changed api
>> for temporal files to have just -rw------- permissions. Side effect of this
>> is that when you update jar (jar -uf), it is passed through tmp file and so
>> the permissions are restricted to -rw------- ... So from point of view this
>> is correct behaviour. On the other hand, this is worthy of upstream (oracle)
>> bug. As result of jar -u should have the same permissions as had original.
>>
>> The fact that one of the JDK's jars have this permissions is that jdk
>> compile and jar itself. So if somewhere is update of jar, then it changed to
>> -rw------- ... Last time this was reported for java-access-bridge.jar and
>> fixed in spec file by plain "chmod".
>>
>> We can fix this in icedtea, but it will be just temporally workaround.
>>
>> Hopes this helped.
>>    J.
>
> Actually, a "bare" JDK downloaded from [0] does not show the issue:
>
> % ls -l newjar.jar
> -rw-r--r-- 1 guillaume users 0 May 20 14:08 newjar.jar
>
> % ../jdk1.7.0_21/bin/jar -cfM0 newjar.jar newManifest
>
> % ls -l newjar.jar
> -rw-r--r-- 1 guillaume users 132 May 20 14:08 newjar.jar
>
> % ../jdk1.7.0_21/bin/jar uf newjar.jar oneMoreManifest
>
> % ls -l newjar.jar
> -rw-r--r-- 1 guillaume users 264 May 20 14:08 newjar.jar
>
> So I guess it could be due to IcedTea. Does IcedTea patches the "jar" utility?
>
> [0] http://www.oracle.com/technetwork/java/javase/downloads/jdk7-downloads-1880260.html
>

I'm afraid that it quite common that fixes from openjdk bubble to proprietary jdk quite smoothly, 
but in oposite direction only the crucial fixes are delivered:(

So it is possible that hey have already fixed this in it.

J.

More information about the distro-pkg-dev mailing list