Creating Many filesystems provide access to their files to multiple users, and not all of the users are trustworthy. These filesystems generally use a privileges and permissions system to prevent untrusted users from accessing sensitive files. When a new file is created, the access permissions of the file immediately dictate who may access or operate on the file. If a program creates a file with insufficiently restrictive access permissions may allow an unprivileged user to access that file. Although access permissions are heavily dependent on the file system, many file-creation functions provide mechanisms to set (or at least influence) access permissions. When these functions are used to create files, appropriate access permissions should be specified to prevent unintended access. Also, when setting access permissions, it is important to make sure that an attacker is not able to alter them, an attacker may read or modify the file before the program is able modify the permissions. Consequently, any file created by a program must be created with access permissions that prevent untrusted users from accessing or modifying the file.
Java provides several methods for creating files. Furthermore, several classes, such as FileOutputStream can create files in their constructors. Prior to Java 1.7, these methods were unable to specify access permissions when creating files. In these cases, the problem of making sure the file is not created with insufficient permissions falls outside the program and must be handled by anyone executing the program.
Java 1.7 new I/O facility (java.nio) provides a rich set of classes for managing file access permissions. Furthermore, many of the methods and constructors that create files accept an argument allowing the program to specify initial permissions of the file. If a file might otherwise be accessable to untrusted users, a Java 1.7 program must create the file with sufficiently restrictive access permissions.
Noncompliant Code Example
The constructors for FileOutputStream and FileWriter do not allow the programmer to explicitly specify file access permissions. This applies to Java 1.7, as well as previous versions of Java.
In this noncompliant code example, if the constructor creates a new file, which is accessible by untrusted users, the access permissions are implementation-defined, and are likely to grant untrusted users the ability to read or modify the file.
| Code Block | ||
|---|---|---|
| ||
Writer out = new FileWriter("file");
|
...
Analogous permissions can be used for a Windows-based compliant solution.
Exceptions
FIO03-EX0: Files created within the same trusted domain do , although it is still a good practiceIf a file is created inside a directory that is both secure and unreadable by untrusted users, then that file may be created with the default access permissions. See FIO07-J. Do not create temporary files in shared directories regarding how to identify for the definition of a secure directory. This could be the case if, for example, the entire filesystem is trusted, or is accessible only to trusted users.
FIO03-EX1: Files that do not contain sensitive information need not be created with appropriate specific access permissions.
Risk Assessment
...