Many filesystems provide access to their files to multiple users, and not all of the users are trustworthy. Files on multiuser systems are generally owned by a particular user. The owner of the file can determine which other users on the system should be allowed to access the contents of these files.
These filesystems generally use a privileges and permissions system to prevent untrusted users from accessing sensitive filesmodel to protect file access. When a new file is created, the access permissions of the file immediately dictate who may access or operate on the file. If a program creates a file with insufficiently restrictive access permissions, an attacker may read or modify the file before the program is able can modify the permissions. Consequently, any file created by a program files must be created with access permissions that prevent untrusted users from accessing or modifying the fileunauthorized file access.
Java provides several methods for creating files. FurthermoreAdditionally, several classes, such as FileOutputStream can create files in their constructors. Prior to Java 1.7, these methods were unable to specify access permissions when creating files. In these cases, the problem of making sure ensuring the file is not created with insufficient adequate permissions falls outside the program and must be handled managed by anyone executing the program.
The Java 1.7 new I/O facility (java.nio) provides a rich set of classes for managing file access permissions. FurthermoreAdditionally, many of the methods and constructors that create files accept an argument allowing the program to specify the initial permissions of the file . If a file might otherwise be accessable to untrusted users, a Java 1.7 program must create the file with sufficiently restrictive access permissions.
Noncompliant Code Example
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="d74095ba20791269-e6392601-4c4e48ad-88f8a5fa-af6ab754495fb694993a4abc"><ac:plain-text-body><![CDATA[ | [[API 2006 | AA. Bibliography#API 06]] |
| ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="4afa1b743e6391bb-4d4d60df-431f4c4d-a91dafcf-c018d1a5fee7de41d38a0981"><ac:plain-text-body><![CDATA[ | [[CVE | AA. Bibliography#CVE]] |
| ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="42670e1718713b0a-84935def-403c400f-95cf8e86-10f6cee3d62d41a4f1f4d08b"><ac:plain-text-body><![CDATA[ | [[J2SE 2011Dowd 2006 | AA. Bibliography#J2SE 11Bibliography#Dowd 06]] | Chapter 9, "UNIX 1: Privileges and Files" | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="cacca11cd7fa1f81-7aa753ec-4f3944a7-908d86dd-0842cb8bb0c3ec99d599ffe8"><ac:plain-text-body><![CDATA[ | [[OpenBSDJ2SE 2011 | AA. Bibliography#OpenBSDBibliography#J2SE 11]] |
| ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="6709d29a6130075d-b8d4a5c6-4d2c43c9-a63fa841-c7496590f2c71b3d02e6bcb0"><ac:plain-text-body><![CDATA[ | [[Open Group 2004OpenBSD | AA. Bibliography#Open Group 04Bibliography#OpenBSD]] | "The | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="b38c5a94a6be6d88-8ee524ff-4b8a4072-8e2abb16-77ece6d60178dc5cab84b9c7"><ac:plain-text-body><![CDATA[ | [[Viega 2003Open Group 2004 | AA. Bibliography#Viega 03Bibliography#Open Group 04]] | Section 2.7, "Restricting Access Permissions for New Files on UNIX "The | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="a7e7847a8504dc96-4250343a-41934b0f-b18fa6da-5508b608c1e3e63263b0c54f"><ac:plain-text-body><![CDATA[ | [[Dowd 2006Viega 2003 | AA. Bibliography#Dowd 06Bibliography#Viega 03]] | Chapter 9 Section 2.7, "UNIX 1: Privileges and FilesRestricting Access Permissions for New Files on UNIX" | ]]></ac:plain-text-body></ac:structured-macro> |
...