Files on multiuser systems are generally owned by a particular user. The owner of the file can determine specify which other users on the system should be allowed to access the contents of these files.
These filesystems generally file systems use a privileges and permissions model to protect file access. When a file is created, the file access permissions of the file immediately dictate who may access or operate on the file. If When a program creates a file with insufficiently restrictive access permissions, an attacker may read or modify the file before the program can modify the permissions. Consequently, files must be created with access permissions that prevent unauthorized file access.
Java provides several methods for creating files. Additionally, several classes, such as FileOutputStream can create files in their constructors. Prior to Java 1.7, these methods were unable to specify access permissions when creating files. In these cases, the problem of ensuring the file is created with adequate permissions falls outside the program and must be managed by anyone executing the program.
The Java 1.7 new I/O facility (java.nio) provides classes for managing file access permissions. Additionally, many of the methods and constructors that create files accept an argument allowing the program to specify the initial file permissions.
Noncompliant Code Example
The constructors for FileOutputStream and FileWriter do not allow the programmer to explicitly specify file access permissions. This applies to Java 1.7, as well as previous versions of Java. In this noncompliant code example, if the constructor creates a new file, which is accessible by untrusted users, the access permissions of any file created are implementation-defined, and are likely to grant untrusted users the ability to read or modify the file. and may not prevent unauthorized access:
| Code Block | ||
|---|---|---|
| ||
Writer out = new FileWriter("file");
|
Implementation Details (POSIX)
| Wiki Markup |
|---|
On POSIX systems, the default permissions of a file upon creation are specified by the umask \[[Open Group 2004|AA. Bibliography#Open Group 04]\]. A umask is associated with each process, and is inherited by any processes created by that process. Furthermore, POSIX provides system calls to modify the umask; consequently the umask of a program can not be trusted to be sufficient if the program is invoked by an untrusted user. Unfortunately, Java does not provide any mechanism to access or modify the umask of a Java program, and therefore any Java method or constructor that creates a file without specifying explicit permissions will create the file with permissions set by the umask, which may be insufficiently restrictive. |
Compliant Solution
Compliant Solution (Java 1.6 and Earlier)
Since Java 1.6 and earlier provide no lack a mechanism for specifying default permissions upon file creationscreation. Consequently, the problem must be solved outside of the Java program. This can be accomplished avoided or solved using some mechanism external to Java, such as by using native code and the Java Native Interface (JNI). In POSIX, it can also be done by allowing the Java program to be invoked only via a batch script that set a sufficiently restrictive umask.
Compliant Solution (Java 1.7, POSIX)
Compliant Solution (POSIX)
The I/O facility java.nio provides classes for managing file access permissions. Additionally, many of the methods and constructors that create files accept an argument allowing the program to specify the initial file permissions.
The Files.newByteChannel() method allows a file to be created with specific permissions. This method is platform-independent, but the actual permissions are platform-specific. The following This compliant solution illustrates defines sufficiently restrictive permissions for POSIX platforms.:
| Code Block | ||
|---|---|---|
| ||
Path file = new File("file").toPath(); // Throw exception rather than overwrite existing file Set<OpenOption> options = new HashSet<OpenOption>(); options.add(StandardOpenOption.CREATE_NEW); options.add(StandardOpenOption.APPEND); // File permissions should be such that only user may read/write file Set<PosixFilePermission> perms = PosixFilePermissions.fromString("rw-------"); FileAttribute<Set<PosixFilePermission>> attr = PosixFilePermissions.asFileAttribute(perms); try (SeekableByteChannel sbc = Files.newByteChannel(file, options, attr)) { // writeWrite data }; |
Exceptions
FIO03FIO01-J-EX0: If When a file is created inside a directory that is both secure and unreadable by untrusted users, then that file may be created with the default access permissions. See FIO07-J. Do not create temporary files in shared directories for the definition of a secure directory. This could be the case if, for example, the entire filesystem file system is trusted , or is accessible only to trusted users (see FIO00-J. Do not operate on files in shared directories for the definition of a secure directory).
FIO01-JFIO03-EX1: Files that do not contain sensitive privileged information need not be created with specific access permissions.
Risk Assessment
The ability to determine if an existing file has been opened or a new file has been created provides greater assurance that a file other than the intended file is not acted uponIf files are created without appropriate permissions, an attacker may read or write to the files, possibly resulting in compromised system integrity and information disclosure.
Rule | Severity | Likelihood | Detectable |
|---|
Repairable | Priority | Level |
|---|
FIO01-J | Medium |
Probable |
No |
No | P4 | L3 |
Automated Detection
...
| Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| CodeSonar |
| JAVA.IO.PERM.ACCESS | Accessing file in permissive mode | ||||||
| Parasoft Jtest |
| CERT.FIO01.ASNF | Avoid implicit file creation when a String is passed as an argument | ||||||
| PVS-Studio |
| V5318 |
Related Guidelines
VOID FIO06-CPP. Create files with appropriate access permissions | |
| ISO/IEC TR 24772:2010 | Missing or Inconsistent Access Control [XZN] |
Incorrect Execution-Assigned Permissions |
Incorrect Default Permissions |
Incorrect Permission Assignment for Critical Resource |
Bibliography
Android Implementation Details
Creating files with weak permissions may allow malicious applications to access the files.
Bibliography
[API 2014] | |
[CVE] | |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="a2d22920-b00e-4e1f-9538-966ed7350bfd"><ac:plain-text-body><![CDATA[
[[API 2006
AA. Bibliography#API 06]]
]]></ac:plain-text-body></ac:structured-macro>
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="244d3af6-30dc-4717-a962-61b041fa4b93"><ac:plain-text-body><![CDATA[
[[CVE
AA. Bibliography#CVE]]
]]></ac:plain-text-body></ac:structured-macro>
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="f791c86f-5306-4788-8423-d2a51322ede8"><ac:plain-text-body><![CDATA[
[[Dowd 2006
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="3f46c4b1-de3d-4328-9d2b-c95b917525e4"><ac:plain-text-body><![CDATA[
Chapter 9, "UNIX 1: Privileges and Files" |
]]></ac:plain-text-body></ac:structured-macro>
[ |
AA. Bibliography#J2SE 11]]
] |
[ |
AA. Bibliography#OpenBSD]]
] |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="31491f87-e219-4936-84d5-015397d7c640"><ac:plain-text-body><![CDATA[
] |
"The |
Function" |
|
]]></ac:plain-text-body></ac:structured-macro>
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="5403c68e-cacb-41fd-b12a-6130f56eb322"><ac:plain-text-body><![CDATA[
[[Viega 2003
Function" | |
Section 2.7, "Restricting Access Permissions for New Files on UNIX" |
]]></ac:plain-text-body></ac:structured-macro>
...
FIO02-J. Ensure the array is filled when using read() to fill an array 12. Input Output (FIO) FIO04-J. Do not open non-regular files when accessing regular files