Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8170844

File permission failure on JDK 9 build 144

    Details

    • Subcomponent:
    • Introduced In Build:
      b143
    • Introduced In Version:
      9
    • CPU:
      generic
    • OS:
      generic

      Description

      FULL PRODUCT VERSION :
      java version "9-ea"
      Java(TM) SE Runtime Environment (build 9-ea+144)
      Java HotSpot(TM) 64-Bit Server VM (build 9-ea+144, mixed mode)

      ADDITIONAL OS VERSION INFORMATION :
      Mac OSX 10.11.5

      A DESCRIPTION OF THE PROBLEM :
      Copied from the following email exchange with Rory O'Donnell on the derby-dev mailing list:

      Hi Rory,

      Build 140 did not display the file permissions problems described here: http://mail.openjdk.java.net/pipermail/jdk9-dev/2016-October/005062.html. However, I did see file permissions problems with JDK 9 build 144. It has taken me a while to write a compact repro for the file permissions problems, but I have finally succeeded. My results are described in the comments dated from 2016-11-15 through 2016-12-03 on the following JIRA issue: https://issues.apache.org/jira/browse/DERBY-6856

      I am attaching the repro to this mail message, along with the following summary, copied from DERBY-6856:

      -----------------------------------

      It has taken me a while, but I now have a compact repro for the regression in JDK 9 build 144. I am attaching the following files:

        PTest.java - A test which shows this problem

        ptestScript - A script for building the test and running it

      To show the problem, put PTest.java in the current directory and run ptestScript. The script will compile the test class and put the test class inside a jar file in the parent directory. Then the script will run the test in setup mode, creating a subdirectory of the current directory and a policy file. Finally, the script will run the test under a security manager, demonstrating the problem on JDK 9 build 144.

      I have observed the following:

      1) The problem only occurs if the jar file which receives privileges is in the parent directory of the current directory. If the jar file is in the current directory, then the problem does not occur.

      2) The problem only occurs if the policy file grants write permission as well as read permission on the target directory.

      Here is the output of the script when it is run using JDK 8:

      ------

      java version "1.8.0_101"
      Java(TM) SE Runtime Environment (build 1.8.0_101-b13)
      Java HotSpot(TM) 64-Bit Server VM (build 25.101-b13, mixed mode)
      Compile the test and jar it up...
      Run the test in setup mode, creating a subdirectory and policy file...
      Policy file is...
      grant codeBase "file:/Users/rhillegas/derby/PTest.jar" {
        permission java.io.FilePermission "/Users/rhillegas/derby/mainline/ptestdir/-", "write";
        permission java.io.FilePermission "/Users/rhillegas/derby/mainline/ptestdir/-", "read";
      };

      Now run the experiment under a security manager...
      Checking for existence of /Users/rhillegas/derby/mainline/ptestdir/zdummy.txt
      '/Users/rhillegas/derby/mainline/ptestdir/zdummy.txt' exists = false

      ------

      Here is the output from the script when the current environment uses jdk 9 build 144:

      ------

      java version "9-ea"
      Java(TM) SE Runtime Environment (build 9-ea+144)
      Java HotSpot(TM) 64-Bit Server VM (build 9-ea+144, mixed mode)
      Compile the test and jar it up...
      Run the test in setup mode, creating a subdirectory and policy file...
      Policy file is...
      grant codeBase "file:/Users/rhillegas/derby/PTest.jar" {
        permission java.io.FilePermission "/Users/rhillegas/derby/mainline/ptestdir/-", "write";
        permission java.io.FilePermission "/Users/rhillegas/derby/mainline/ptestdir/-", "read";
      };

      Now run the experiment under a security manager...
      Checking for existence of /Users/rhillegas/derby/mainline/ptestdir/zdummy.txt
      Caught a java.security.AccessControlException bearing this message: access denied ("java.io.FilePermission" "/Users/rhillegas/derby/mainline/ptestdir/zdummy.txt" "read")

      ------

      Best regards,
      -Rick

      STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
      See above. Copy the source code (see below) into PTest.java in the current directory and then run the following script. The program succeeds on JDK8 but raises a security exception on JDK 9:

      #! /bin/bash
      #
      # Compile and run the PTest program

      java -version

      policyFile=PTest.policy
      curDir=`pwd`

      cd ..
      jarFile=`pwd`/PTest.jar

      cd $curDir

      echo Compile the test and jar it up...
      javac PTest.java
      jar cf $jarFile PTest*.class

      echo Run the test in setup mode, creating a subdirectory and policy file...
      java -cp $jarFile PTest $curDir $jarFile $policyFile

      echo Policy file is...
      cat $policyFile

      echo Now run the experiment under a security manager...
      java -cp $jarFile -Djava.security.manager -Djava.security.policy=$policyFile PTest $curDir



      REPRODUCIBILITY :
      This bug can be reproduced always.

      ---------- BEGIN SOURCE ----------
      import java.io.File;
      import java.io.PrintWriter;
      import java.io.IOException;
      import java.security.AccessController;
      import java.security.ProtectionDomain;
      import java.security.PrivilegedAction;
      import java.security.PrivilegedActionException;
      import java.security.PrivilegedExceptionAction;
      import java.text.MessageFormat;

      public class PTest
      {
        private static final String SUB_DIR = "ptestdir";
        private static final String FILE_TO_READ = "zdummy.txt";
        private static final String POLICY_FILE_NAME = "PTest.policy";
        
        private static final String POLICY_FILE =
          "grant codeBase \"file:JAR_FILE\" {\n" +
            " permission java.io.FilePermission \"CUR_DIR/" + SUB_DIR + "/-\", \"write\";\n" +
            " permission java.io.FilePermission \"CUR_DIR/" + SUB_DIR + "/-\", \"read\";\n" +
          "};\n";
        
        public static void main(String... args) throws Exception
        {
          File currentDirectory = new File(args[0]);
          boolean setupMode = (args.length > 1);

          if (setupMode)
          {
            File jarFile = new File(args[1]);
            File policyFile = new File(args[2]);
            setup(currentDirectory, jarFile, policyFile);
          }
          else
          {
            File subdir = new File(currentDirectory, SUB_DIR);
            File fileToRead = new File(subdir, FILE_TO_READ);
            checkFileExists(fileToRead.getAbsolutePath());
          }
        }

        private static void setup
          (File currentDirectory, File jarFile, File policyFile)
          throws Exception
        {
          // create the subdirectory
          File subdir = new File(currentDirectory, SUB_DIR);
          subdir.mkdir();

          String policyFileContents = POLICY_FILE
            .replace("JAR_FILE", jarFile.getAbsolutePath())
            .replace("CUR_DIR", currentDirectory.getAbsolutePath());
          writePolicyFile(policyFile, policyFileContents);
        }

        private static void writePolicyFile(File policyFile, String contents) throws Exception
        {
          PrintWriter pw = new PrintWriter(policyFile);
          pw.println(contents);
          pw.flush();
          pw.close();
        }


        private static void checkFileExists(final String fileName)
        {
          try
          {
            boolean fileExists =
              (
               AccessController.doPrivileged
               (
                new PrivilegedExceptionAction<Boolean>()
                {
                  public Boolean run()
                  throws SecurityException, IOException
                  {
                    println("Checking for existence of " + fileName);
                    File f = new File(fileName);
                    boolean exists = f.exists();
                    return exists;
                  }
                }
                )
               );

            println("'" + fileName + "' exists = " + fileExists);
          }
          catch (Throwable t) { printThrowable(t); }
        }

        private static void printThrowable(Throwable t)
        {
          println("Caught a " + t.getClass().getName() + " bearing this message: " + t.getMessage());
        }

        private static void println(String text) { System.out.println(text); }
      }
      ---------- END SOURCE ----------

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                weijun Weijun Wang
                Reporter:
                webbuggrp Webbug Group
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: