You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@turbine.apache.org by "Lang, Cliff" <cl...@proxicom.com> on 2002/03/04 12:27:00 UTC
File - security / testing - turbine.util.Upload java.io.File().canWrite() always returns true
This my be more appropriate for a Java list, but I've search around and
have found no information.
Platform:
Sparc 4m/4u
Solaris 2.7
Java 1.3.1_2 & 1.4
Turbine 2.2
When working with the upload routine, I wanted to test for a files
write-ability and found java.io.File().canWrite() always returns true
(if the file exists).
So even if I make a file read-only (-r--r--r--), canWrite() returns
true, and my file can be overwritten.
I am running the tdk on a privilege port, so it runs as root. With the
above effect I can't protect any of my files (system or not) at the OS.
Is the some SecurityManager or SecurityPolicy I need to run? I thought
those targeted Applets -
How do others run there app as root but protect (obey) the file system?
Thanks, Cliff
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: File - security / testing - turbine.util.Upload java.io.File().canWrite() always returns true
Posted by Daniel Rall <dl...@finemaltcoding.com>.
"Lang, Cliff" <cl...@proxicom.com> writes:
> This my be more appropriate for a Java list, but I've search around and
> have found no information.
>
> Platform:
> Sparc 4m/4u
> Solaris 2.7
> Java 1.3.1_2 & 1.4
> Turbine 2.2
>
>
> When working with the upload routine, I wanted to test for a files
> write-ability and found java.io.File().canWrite() always returns true
> (if the file exists).
>
> So even if I make a file read-only (-r--r--r--), canWrite() returns
> true, and my file can be overwritten.
>
> I am running the tdk on a privilege port, so it runs as root. With the
> above effect I can't protect any of my files (system or not) at the OS.
I speculate that canWrite() returns true because you're running as
root (who can write to read-only files). Try setuidgid() to another
user.
Dan
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>