SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 44

changes.mady.by.user Shannon Haas

Saved on

compared with

New Version 45

changes.mady.by.user Shannon Haas

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

These file systems use a privileges and permissions model to protect file access. When a file is created, the file access permissions of the file immediately dictate who may access or operate on the file. When a program creates a file with insufficiently restrictive access permissions, an attacker may read or modify the file before the program can modify the permissions. Consequently, files must be created with access permissions that prevent unauthorized file access.

...

In this noncompliant code example, the access permissions of any file created are implementation-defined and may fail to not prevent unauthorized access.

...

Java 1.6 and earlier lack a mechanism for specifying default permissions upon file creation. Consequently, the problem must be avoided or solved using some mechanism external to Java, such as by using native code and the Java Native Interface (JNI).

...

The Files.newByteChannel() method allows a file to be created with specific permissions. This method is platform-independent, but the actual permissions are platform-specific. The following This compliant solution shows defines sufficiently restrictive permissions for POSIX platforms.

Code Block
bgColor#ccccff
Path file = new File("file").toPath();

// Throw exception rather than overwrite existing file
Set<OpenOption> options = new HashSet<OpenOption>();
options.add(StandardOpenOption.CREATE_NEW);
options.add(StandardOpenOption.APPEND);

// File permissions should be such that only user may read/write file
Set<PosixFilePermission> perms =
    PosixFilePermissions.fromString("rw-------");
FileAttribute<Set<PosixFilePermission>> attr =
    PosixFilePermissions.asFileAttribute(perms);

try (SeekableByteChannel sbc =
         Files.newByteChannel(file, options, attr)) {
  // write data
};

...

FIO01-EX0: When a file is created inside a directory that is both secure and unreadable by untrusted users, that file may be created with the default access permissions. See rule FIO00-J. Do not operate on files in shared directories for the definition of a secure directory. This could be the case if, for example, the entire file system is trusted or is accessible only to trusted users. See rule FIO00-J. for the definition of a secure directory.

FIO01-EX1: Files that do not contain sensitive privileged information need not be created with specific access permissions.

...

Files created with insufficiently restrictive access permissions result in information disclosure, especially if the program creating the file populates the sensitive information. The ability to determine whether an existing file has been opened or a new file has been created provides greater assurance that only the intended file is acted upon.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

FIO01-J

medium

probable

high

P4

L3

...

CERT C++ Secure Coding Standard

FIO06-CPP. Create files with appropriate access permissions

CERT C Secure Coding Standard

FIO06-C. Create files with appropriate access permissions

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="56b90fec80441cde-5c1f52cc-453d4492-929d8bcb-99edbc5b47b108b470ca3d37"><ac:plain-text-body><![CDATA[

[ISO/IEC TR 24772:2010

http://www.aitcnet.org/isai/]

Missing or Inconsistent Access Control [XZN]

]]></ac:plain-text-body></ac:structured-macro>

MITRE CWE

CWE-279. Incorrect execution-assigned permissions

 

CWE-276. Incorrect default permissions

 

CWE-732. Incorrect permission assignment for critical resource

...

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="9a2e3252c3fda8ee-5270a367-47824fa3-95709bbc-c8923052a1d878443e0c2c51"><ac:plain-text-body><![CDATA[

[[API 2006

AA. Bibliography#API 06]]

 

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="affe4dc69b081653-3e96ef9b-45ca4a2c-b7829c65-07b58c726f5d7799df4a1479"><ac:plain-text-body><![CDATA[

[[CVE

AA. Bibliography#CVE]]

 

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="1e7e641c7a78626f-5e65889f-46da43cd-bf379624-5ed6f8e443e40aa8969b49b4"><ac:plain-text-body><![CDATA[

[[Dowd 2006

AA. Bibliography#Dowd 06]]

Chapter 9, "UNIX 1: Privileges and Files"

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="bd7fdb89ba1125fb-b795b44f-439d4cd4-a1e2b498-f66c82832f5e8ba07171b7ff"><ac:plain-text-body><![CDATA[

[[J2SE 2011

AA. Bibliography#J2SE 11]]

 

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="26ac61410a9cf644-f67c8339-4a6b493d-a066b7be-6ebd64a5de4766f214c1182f"><ac:plain-text-body><![CDATA[

[[OpenBSD

AA. Bibliography#OpenBSD]]

 

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="438438e86a355349-774d83a3-48934df5-929cb6e8-364e4cb04042197880839653"><ac:plain-text-body><![CDATA[

[[Open Group 2004

AA. Bibliography#Open Group 04]]

"The open function," and "The umask function"

]]></ac:plain-text-body></ac:structured-macro>

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="abbbb903299765e3-c6c6a687-4d8e43c0-b3d4aefd-bdfcf0aff832c18469b72ea8"><ac:plain-text-body><![CDATA[

[[Viega 2003

AA. Bibliography#Viega 03]]

Section 2.7, "Restricting Access Permissions for New Files on UNIX"

]]></ac:plain-text-body></ac:structured-macro>

...