[External] : Re: Shell files in `/bin` can be made executable
Magnus Ihse Bursie
magnus.ihse.bursie at oracle.com
Wed Nov 24 13:08:05 UTC 2021
On 2021-11-23 16:43, Kevin Rushforth wrote:
> I sent my reply before I saw Magnus', so I was commenting on the
> "what" and not the "why".
> I'm sure others with more standing in the JDK project will chime in,
> but two reasons that come to mind are:
> 1. Allowing scripts that are executable could lead to unexpected
> results if the current directory is in the PATH ahead of some place
> you expect to get that command.
You mean if the user has configured his/her environment to have like
PATH=.:/bin:/usr/bin:..? That is a horrible, horrible security
misconfiguration, that will introduce security issues all the time, not
only for OpenJDK. I don't think we can or should try to protect against
this particular case of bad user configuration.
> 2. On Windows platforms it is very easy to have a file be accidentally
> executable depending on how it is created, such that (for example) new
> source code files end up having the execute bit set.
I wonder what tooling produces such files, but sure, let's say that this
is something we want to protect ourselves against. I propose that we
modify jcheck so it disallows executable files, not over the board, but
in the src directory. (Or instead of having a block-list, have an
allow-list of directories where executables are allowed, typically
"./bin" and the root (for the configure script.)
> -- Kevin
> On 11/23/2021 7:33 AM, Japris Pogrammer wrote:
>> Thanks for your quick responses!
>> Are there any actual reasons for this restriction or is it here just
>> for historical reasons?
>> If there is a possibility of dropping this limitation, as Magnus
>> says, I also would like to support it.
>> вт, 23 нояб. 2021 г. в 18:08, Kevin Rushforth
>> <kevin.rushforth at oracle.com>:
>> No, executable files are explicitly prohibited in the jdk repo.
>> This is
>> enforced by jcheck .
>> -- Kevin
>>  https://github.com/openjdk/jdk/blob/master/.jcheck/conf#L6
>> On 11/23/2021 6:59 AM, Japris Pogrammer wrote:
>> > Currently  shell scripts in /bin directory seem to be missing x
>> > modifier. I guess that it should be added to them in order to
>> improve their
>> > usage experience a bit.
>> > Is this assumption right?
>> > If yes, then I am ready to propose a simple fix for this .
>> > :
>> > :
More information about the jdk-dev