[External] : Re: Shell files in `/bin` can be made executable

Magnus Ihse Bursie magnus.ihse.bursie at oracle.com
Wed Nov 24 13:08:05 UTC 2021

On 2021-11-23 16:43, Kevin Rushforth wrote:
> I sent my reply before I saw Magnus', so I was commenting on the 
> "what" and not the "why".
> I'm sure others with more standing in the JDK project will chime in, 
> but two reasons that come to mind are:
> 1. Allowing scripts that are executable could lead to unexpected 
> results if the current directory is in the PATH ahead of some place 
> you expect to get that command.

You mean if the user has configured his/her environment to have like 
PATH=.:/bin:/usr/bin:..? That is a horrible, horrible security 
misconfiguration, that will introduce security issues all the time, not 
only for OpenJDK. I don't think we can or should try to protect against 
this particular case of bad user configuration.

> 2. On Windows platforms it is very easy to have a file be accidentally 
> executable depending on how it is created, such that (for example) new 
> source code files end up having the execute bit set.

I wonder what tooling produces such files, but sure, let's say that this 
is something we want to protect ourselves against. I propose that we 
modify jcheck so it disallows executable files, not over the board, but 
in the src directory. (Or instead of having a block-list, have an 
allow-list of directories where executables are allowed, typically 
"./bin" and the root (for the configure script.)

> -- Kevin
> On 11/23/2021 7:33 AM, Japris Pogrammer wrote:
>> Thanks for your quick responses!
>> Are there any actual reasons for this restriction or is it here just 
>> for historical reasons?
>> If there is a possibility of dropping this limitation, as Magnus 
>> says, I also would like to support it.
>> вт, 23 нояб. 2021 г. в 18:08, Kevin Rushforth 
>> <kevin.rushforth at oracle.com>:
>>     No, executable files are explicitly prohibited in the jdk repo.
>>     This is
>>     enforced by jcheck [3].
>>     -- Kevin
>>     [3] https://github.com/openjdk/jdk/blob/master/.jcheck/conf#L6
>>     <https://urldefense.com/v3/__https://github.com/openjdk/jdk/blob/master/.jcheck/conf*L6__;Iw!!ACWV5N9M2RV99hQ!ejFT80ep3fT0XHb8rtDf6-00kZJtZe4VGAH3XIUmRJWxLpooaTVAuLE6XBX8tTZZ40Ca$>
>>     On 11/23/2021 6:59 AM, Japris Pogrammer wrote:
>>     > Currently [1] shell scripts in /bin directory seem to be missing x
>>     > modifier. I guess that it should be added to them in order to
>>     improve their
>>     > usage experience a bit.
>>     > Is this assumption right?
>>     > If yes, then I am ready to propose a simple fix for this [2].
>>     >
>>     > [1]:
>>     >
>>     https://github.com/openjdk/jdk/blob/f4dc03ea6de327425ff265c3d2ec16ea7b0e1634/bin/
>>     <https://urldefense.com/v3/__https://github.com/openjdk/jdk/blob/f4dc03ea6de327425ff265c3d2ec16ea7b0e1634/bin/__;!!ACWV5N9M2RV99hQ!ejFT80ep3fT0XHb8rtDf6-00kZJtZe4VGAH3XIUmRJWxLpooaTVAuLE6XBX8tfwfResK$>
>>     > [2]:
>>     https://github.com/JarvisCraft/jdk/tree/bin-make-shell-files-executable
>>     <https://urldefense.com/v3/__https://github.com/JarvisCraft/jdk/tree/bin-make-shell-files-executable__;!!ACWV5N9M2RV99hQ!ejFT80ep3fT0XHb8rtDf6-00kZJtZe4VGAH3XIUmRJWxLpooaTVAuLE6XBX8teuSPFQp$>

More information about the jdk-dev mailing list