[3608] in java-interest
UNIX Links
daemon@ATHENA.MIT.EDU (Mattias Mattsson)
Fri Nov 17 10:31:56 1995
To: java-interest@java.Eng.Sun.COM
Date: Fri, 17 Nov 1995 14:16:10 +0100
From: Mattias Mattsson <mattias@cdt.luth.se>
The concept of links seems to have been removed from the beta release.
The method isAbsolute() thinks a link is an ordinary file. This
means that getAbsolutePath() doesn't resolve links. Our application
executes foreign code with the users permissions, therfore we must
have a security manager to restrict those. It seems that this
security manager can't control file accesses properly when there
are links in the path of the file that the code tries to access.
For example, a person with access to your computer might put a link
in '/tmp' pointing to your Mail directory. After this he gives you
code that attempts to write to the file '/tmp/link/ImportantLetter'
where 'link' is the link to the Mail directory. If the code is permitted
to write in the '/tmp' directory and its subdirectories, it will also
be allowed to overwrite 'ImportantLetter'.
This wasn't a problem in the alpha release since the method
setReadACL() took care of links.
Is there any way to detect or resolve links in the beta release?
(We use a SPARCstation 5 with Solaris 2.4)
/ Per Danvind
Mattias Mattsson
-
This message was sent to the java-interest mailing list
Info: send 'help' to java-interest-request@java.sun.com
