Files on multiuser systems are generally owned by a particular user. The owner of the file can specify which other users on the system should be allowed to access the contents of these files.
These file systems use a privileges and permissions model to protect file access. When a file is created, the file access permissions dictate who may access or operate on the file. When a program creates a file with insufficiently restrictive access permissions, an attacker may read or modify the file before the program can modify the permissions. Consequently, files must be created with access permissions that prevent unauthorized file access Creating a file with insufficiently restrictive access permissions may allow an unprivileged user to access that file. Although access permissions are heavily dependent on the file system, many file-creation functions provide mechanisms to set (or at least influence) access permissions. When these functions are used to create files, appropriate access permissions should be specified to prevent unintended access. Also, when setting access permissions, it is important to make sure that an attacker is not able to alter them.
Noncompliant Code Example
The constructors for FileOutputStream and FileWriter do not allow the programmer to explicitly specify file access permissions. In this noncompliant code example, if the constructor creates a new file, the access permissions of any file created are implementation-defined. and may not prevent unauthorized access:
| Code Block | ||
|---|---|---|
| ||
Writer out = new FileWriter("file");
|
Implementation Details (POSIX)
| Wiki Markup |
|---|
On POSIX-compliant systems, the permissions may be restricted by the value of the POSIX C {{umask()}} function \[[Open Group 2004|AA. Bibliography#Open Group 04]\]. |
| Wiki Markup |
|---|
The operating system modifies the access permissions by computing the intersection of the inverse of the umask and the permissions requested by the process \[[Viega 2003|AA. Bibliography#Viega 03]\]. For example, if the variable {{requested_permissions}} contained the permissions passed to the operating system to create a new file, the variable {{actual_permissions}} would be the actual permissions that the operating system would use to create the file: |
| Code Block |
|---|
requested_permissions = 0666;
actual_permissions = requested_permissions & ~umask();
|
| Wiki Markup |
|---|
For OpenBSD and Linux operating systems, any file created will have mode {{S_IRUSR\|S_IWUSR\|S_IRGRP\|S_IWGRP\|S_IROTH\|S_IWOTH}} (0666), as modified by the process's umask value. (See [{{fopen(3)}}|http://www.openbsd.org/cgi-bin/man.cgi?query=open&apropos=0&sektion=0&manpath=OpenBSD+Current&arch=i386&format=html] in the OpenBSD Manual Pages \[[OpenBSD|AA. Bibliography#OpenBSD]\].) |
Compliant Solution (Java 1.6 and Earlier)
Java 1.6 and earlier lack a mechanism for specifying default permissions upon file creation. Consequently, the problem must be avoided or solved using some mechanism external to Java, such as by using native code and the Java Native Interface (JNI).
Compliant Solution (POSIX)
The I/O facility java.nio provides classes for managing file access permissions. Additionally, many of the methods and constructors that create files accept an argument allowing the program to specify the initial file permissions.
...
The Files.newByteChannel() method allows a file to be created with specific permissions. This method is platform-independent, although but the actual permissions are platform-specific. This compliant solution defines sufficiently restrictive permissions for POSIX platforms:
| Code Block | ||
|---|---|---|
| ||
Path file = new File("file").toPath(); // Throw exception rather than overwrite existing file Set<OpenOption> options = new HashSet<OpenOption>(); options.add(StandardOpenOption.CREATE_NEW); options.add(StandardOpenOption.APPEND); // File permissions should be such that only user may read/write file Set<PosixFilePermission> perms = PosixFilePermissions.fromString("rw-------"); FileAttribute<Set<PosixFilePermission>> attr = PosixFilePermissions.asFileAttribute(perms); try (SeekableByteChannel sbc = Files.newByteChannel(file, options, attr)) { // writeWrite data }; |
...
Exceptions
FIO03FIO01-J-EX0: Files created within the same trusted domain do , although it is still a good practice. See FIO07 When a file is created inside a directory that is both secure and unreadable by untrusted users, that file may be created with the default access permissions. This could be the case if, for example, the entire file system is trusted or is accessible only to trusted users (see FIO00-J. Do not create temporary operate on files in shared directories regarding how to identify for the definition of a secure directory).
FIO03FIO01-J-EX1: Files that do not contain sensitive privileged information need not be created with appropriate specific access permissions.
Risk Assessment
The ability to determine if an existing file has been opened or a new file has been created provides greater assurance that a file other than the intended file is not acted uponIf files are created without appropriate permissions, an attacker may read or write to the files, possibly resulting in compromised system integrity and information disclosure.
Rule | Severity | Likelihood | Detectable |
|---|
Repairable | Priority | Level |
|---|
FIO01-J | Medium |
Probable |
No |
No | P4 | L3 |
Automated Detection
...
| Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| CodeSonar |
| JAVA.IO.PERM.ACCESS | Accessing file in permissive mode | ||||||
| Parasoft Jtest |
| CERT.FIO01.ASNF | Avoid implicit file creation when a String is passed as an argument | ||||||
| PVS-Studio |
| V5318 |
Related Guidelines
...
...
...
...
| ISO/IEC TR 24772:2010 | Missing or Inconsistent Access Control [XZN] |
...
...
Incorrect Execution-Assigned Permissions |
...
...
...
Incorrect Default Permissions |
...
...
...
Incorrect Permission Assignment for Critical Resource |
...
Android Implementation Details
Creating files with weak permissions may allow malicious applications to access the files.
Bibliography
[API 2014] | |
[CVE] | |
Chapter 9, "UNIX 1: Privileges and Files" | |
[OpenBSD] | |
"The | |
Section 2.7, "Restricting Access Permissions for New Files on UNIX" |
...
Bibliography
| Wiki Markup |
|---|
\[[API 2006|AA. Bibliography#API 06]\]
\[[CVE|AA. Bibliography#CVE]\]
\[[J2SE 2011|AA. Bibliography#J2SE 11]\]
\[[OpenBSD|AA. Bibliography#OpenBSD]\]
\[[Open Group 2004|AA. Bibliography#Open Group 04]\] "The {{open}} function," and "The {{umask}} function"
\[[Viega 2003|AA. Bibliography#Viega 03]\] Section 2.7, "Restricting Access Permissions for New Files on UNIX"
\[[Dowd 2006|AA. Bibliography#Dowd 06]\] Chapter 9, "UNIX 1: Privileges and Files" |
FIO02-J. Do not assume that read() has filled all the elements of an array 12. Input Output (FIO) FIO04-J. Do not open non-regular files when accessing regular files