Page History

Files on multiuser systems are generally owned by a particular user. The owner of the file can specify which other users on the system should be allowed to access the contents of these files.

These file systems Many filesystems provide access to their files to multiple users, and not all of the users are trustworthy. These filesystems generally use a privileges and permissions system to prevent untrusted users from accessing sensitive filesmodel to protect file access. When a new file is created, the file access permissions of the file immediately dictate who may access or operate on the file. If When a program creates a file with insufficiently restrictive access permissions, an attacker may read or modify the file before the program is able can modify the permissions. Consequently, any file created by a program files must be created with access permissions that prevent untrusted users from accessing or modifying the file.

Java provides several methods for creating files. Furthermore, several classes, such as FileOutputStream can create files in their constructors. Prior to Java 1.7, these methods were unable to specify access permissions when creating files. In these cases, the problem of making sure the file is not created with insufficient permissions falls outside the program and must be handled by anyone executing the program.

Java 1.7 new I/O facility (java.nio) provides a rich set of classes for managing file access permissions. Furthermore, many of the methods and constructors that create files accept an argument allowing the program to specify initial permissions of the file. If a file might otherwise be accessable to untrusted users, a Java 1.7 program must create the file with sufficiently restrictive access permissionsunauthorized file access.

Noncompliant Code Example

The constructors for FileOutputStream and FileWriter do not allow the programmer to explicitly specify file access permissions. This applies to Java 1.7, as well as previous versions of Java. In this noncompliant code example, if the constructor creates a new file, which is accessible by untrusted users, the access permissions of any file created are implementation-defined, and are likely to grant untrusted users the ability to read or modify the file. and may not prevent unauthorized access:

Code Block

bgColor	#FFCCCC


Writer out = new FileWriter("file");

Implementation Details (POSIX)

Wiki Markup

On POSIX systems, the default permissions of a file upon creation are specified by the umask \[[Open Group 2004|AA. Bibliography#Open Group 04]\]. A umask is associated with each process, and is inherited by any processes created by that process. Furthermore, POSIX provides system calls to modify the umask; consequently the umask of a program can not be trusted to be sufficient if the program is invoked by an untrusted user. Unfortunately, Java does not provide any mechanism to access or modify the umask of a Java program, and therefore any Java method or constructor that creates a file without specifying explicit permissions will create the file with permissions set by the umask, which may be insufficiently restrictive.

Compliant Solution

Compliant Solution (Java 1.6 and Earlier)

Since Java 1.6 and earlier provide no lack a mechanism for specifying default permissions upon file creationscreation. Consequently, the problem must be solved outside of the Java program. This can be accomplished avoided or solved using some mechanism external to Java, such as by using native code and the Java Native Interface (JNI). In POSIX, it can also be done by allowing the Java program to be invoked only via a batch script that set a sufficiently restrictive umask.

...

Compliant Solution (POSIX)

The I/O facility java.nio provides classes for managing file access permissions. Additionally, many of the methods and constructors that create files accept an argument allowing the program to specify the initial file permissions.

The Files.newByteChannel() method allows a file to be created with specific permissions. This method is platform-independent, but the actual permissions are platform-specific. The following This compliant solution illustrates defines sufficiently restrictive permissions for POSIX platforms.:

Code Block

bgColor	#ccccff


Path file = new File("file").toPath();

// Throw exception rather than overwrite existing file
Set<OpenOption> options = new HashSet<OpenOption>();
options.add(StandardOpenOption.CREATE_NEW);
options.add(StandardOpenOption.APPEND);

// File permissions should be such that only user may read/write file
Set<PosixFilePermission> perms =
    PosixFilePermissions.fromString("rw-------");
FileAttribute<Set<PosixFilePermission>> attr =
    PosixFilePermissions.asFileAttribute(perms);

try (SeekableByteChannel sbc =
         Files.newByteChannel(file, options, attr)) {
  // writeWrite data
};

Exceptions

FIO03FIO01-J-EX0: If When a file is created inside a directory that is both secure and unreadable by untrusted users, then that file may be created with the default access permissions. See FIO07-J. Do not create temporary files in shared directories for the definition of a secure directory. This could be the case if, for example, the entire filesystem file system is trusted , or is accessible only to trusted users (see FIO00-J. Do not operate on files in shared directories for the definition of a secure directory).

FIO01-JFIO03-EX1: Files that do not contain sensitive privileged information need not be created with specific access permissions.

Risk Assessment

The ability to determine if an existing file has been opened or a new file has been created provides greater assurance that a file other than the intended file is not acted uponIf files are created without appropriate permissions, an attacker may read or write to the files, possibly resulting in compromised system integrity and information disclosure.

Rule	Severity	Likelihood

Remediation Cost

Detectable	Repairable	Priority	Level

FIO03

FIO01-J

Medium

medium

Probable

probable

No

high

No

P4

L3

Automated Detection

...

Tool Version Checker
Description
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V
JAVA.IO.PERM.ACCESS
JAVA.IO.PERM
Accessing file in permissive mode
Permissive file mode
Parasoft Jtest
Include Page
Parasoft_V
Parasoft_V
CERT.FIO01.ASNF
CERT.FIO01.CFAP
Avoid implicit file creation when a String is passed as an argument
Create files with appropriate access permissions
PVS-Studio
Include Page
PVS-Studio_V
PVS-Studio_V
V5318

Related Guidelines

SEI CERT C++

Secure

Coding Standard	VOID FIO06-CPP. Create files with appropriate access permissions
SEI CERT C

Secure

Coding Standard	FIO06-C. Create files with appropriate access permissions
ISO/IEC TR 24772:2010	Missing or Inconsistent Access Control [XZN]
MITRE CWE	CWE-279,

"

Incorrect Execution-Assigned Permissions

"

CWE-276,

"

Incorrect Default Permissions

"

CWE-732,

"

Incorrect Permission Assignment for Critical Resource

"

Bibliography

Android Implementation Details

Creating files with weak permissions may allow malicious applications to access the files.

Bibliography

[API 2014]
[CVE]
[Dowd 2006]	Chapter 9, "UNIX 1: Privileges and Files"
[J2SE 2011]
[OpenBSD]
[Open Group 2004]	"The `open` Function" "The `umask` Function"
[Viega 2003

<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="76bfa0bb-10bf-4a63-ad81-b16af902a652"><ac:plain-text-body><![CDATA[

[[API 2006

AA. Bibliography#API 06]]