Re: I need a more secure FileBackedOutputStream

196 views
Skip to first unread message

Peter Ondruška

unread,
Apr 11, 2013, 11:46:24 PM4/11/13
to guava-...@googlegroups.com
is this what you try to achieve?

export TMPDIR=/tmp/$( whoami )
mkdir -p $TMPDIR && chmod go= $TMPDIR

java honors TMPDIR environment variable and uses that for temporary files.

On Thursday, 11 April 2013 23:10:35 UTC+2, Robert Huffman wrote:
Temp files are a common security weakness for applications (see http://cwe.mitre.org/data/definitions/377.html). The weakness can be mitigated by creating them in directories that are not world-readable and setting permissions so only the owner can access them.

FileBackedOutputStream uses File.createTempFile(String, String) when it needs to buffer to disk. That means the file is created in /tmp on a Linux box using the umask of the the principal running the JVM. This actually prevents me from using this class: I need to create these files in a directory of my choosing (which I can be sure is not accessible to the word). I can also need to set the permissions on the file so only the owner can read or write the file.


Joachim Durchholz

unread,
Apr 12, 2013, 3:01:19 AM4/12/13
to guava-...@googlegroups.com
Am 11.04.2013 23:10, schrieb Robert Huffman:
> Temp files are a common security weakness for applications (see
> http://cwe.mitre.org/data/definitions/377.html).

As far as I know, the various weaknesses detailed here have been
addressed in one form or the other:
- /tmp is created with the sticky bit set since many years now,
preventing attacks based on renaming files.
- createTempFile was fixed somewhere around 2008 to generate
unpredictable names, preventing pregenerating attacker-owned
world-writable files in /tmp.

What's not fixed is umask, which by default is still 022 instead of 077,
but that's something that needs to be fixed no matter how you create
tempfiles.

I don't know enough details to really assess how secure
File.createTempFile is.
In the end, at least OpenJdk's implementation delegates to
UnixFileSystem.createFileExclusively, which is native, so that might
have to be checked, too.

> The weakness can be
> mitigated by creating them in directories that are not world-readable
> and setting permissions so only the owner can access them.

File.createTempDir, then set TEMP to point to the generated directory.

> FileBackedOutputStream uses File.createTempFile(String, String) when it
> needs to buffer to disk. That means the file is created in /tmp on a Linux
> box using the umask of the the principal running the JVM. This actually
> prevents me from using this class: I need to create these files in a
> directory of my choosing (which I can be sure is not accessible to the
> word).

If the software fails to clean the temporary files (e.g. due to a JVM
crash), they will remain and create a resource leak.
For /tmp, any sane Linux installation will periodically remove old
temporary files. Temporary files outside /tmp will need to be cleaned by
some other means.

> I can also need to set the permissions on the file so only the owner
> can read or write the file.

If the file is inside a directory that only you can read or write files
in, the permission is irrelevant; if the file is inside a directory that
somebody else can read or write, setting the permission will leave a
window of opportunity to open the file between file creation and
permission change.
So, setting permissions isn't going to gain you much, umask would be
preferrable no matter what.
Reply all
Reply to author
Forward
0 new messages