Hi Rory,
Build 140 did not display the file permissions problems described here:
http://mail.openjdk.java.net/pipermail/jdk9-dev/2016-October/005062.html. However,
I did see file permissions problems with JDK 9 build 144. It has taken
me a while to write a compact repro for the file permissions problems,
but I have finally succeeded. My results are described in the comments
dated from 2016-11-15 through 2016-12-03 on the following JIRA issue:
https://issues.apache.org/jira/browse/DERBY-6856
I am attaching the repro to this mail message, along with the following
summary, copied from DERBY-6856:
-----------------------------------
It has taken me a while, but I now have a compact repro for the
regression in JDK 9 build 144. I am attaching the following files:
PTest.java - A test which shows this problem
ptestScript - A script for building the test and running it
To show the problem, put PTest.java in the current directory and run
ptestScript. The script will compile the test class and put the test
class inside a jar file in the parent directory. Then the script will
run the test in setup mode, creating a subdirectory of the current
directory and a policy file. Finally, the script will run the test under
a security manager, demonstrating the problem on JDK 9 build 144.
I have observed the following:
1) The problem only occurs if the jar file which receives privileges is
in the parent directory of the current directory. If the jar file is in
the current directory, then the problem does not occur.
2) The problem only occurs if the policy file grants write permission as
well as read permission on the target directory.
Here is the output of the script when it is run using JDK 8:
------
java version "1.8.0_101"
Java(TM) SE Runtime Environment (build 1.8.0_101-b13)
Java HotSpot(TM) 64-Bit Server VM (build 25.101-b13, mixed mode)
Compile the test and jar it up...
Run the test in setup mode, creating a subdirectory and policy file...
Policy file is...
grant codeBase "file:/Users/rhillegas/derby/PTest.jar" {
permission java.io.FilePermission
"/Users/rhillegas/derby/mainline/ptestdir/-", "write";
permission java.io.FilePermission
"/Users/rhillegas/derby/mainline/ptestdir/-", "read";
};
Now run the experiment under a security manager...
Checking for existence of
/Users/rhillegas/derby/mainline/ptestdir/zdummy.txt
'/Users/rhillegas/derby/mainline/ptestdir/zdummy.txt' exists = false
------
Here is the output from the script when the current environment uses jdk
9 build 144:
------
java version "9-ea"
Java(TM) SE Runtime Environment (build 9-ea+144)
Java HotSpot(TM) 64-Bit Server VM (build 9-ea+144, mixed mode)
Compile the test and jar it up...
Run the test in setup mode, creating a subdirectory and policy file...
Policy file is...
grant codeBase "file:/Users/rhillegas/derby/PTest.jar" {
permission java.io.FilePermission
"/Users/rhillegas/derby/mainline/ptestdir/-", "write";
permission java.io.FilePermission
"/Users/rhillegas/derby/mainline/ptestdir/-", "read";
};
Now run the experiment under a security manager...
Checking for existence of
/Users/rhillegas/derby/mainline/ptestdir/zdummy.txt
Caught a java.security.AccessControlException bearing this message:
access denied ("java.io.FilePermission"
"/Users/rhillegas/derby/mainline/ptestdir/zdummy.txt" "read")
------
Best regards,
-Rick
On 11/14/16, 4:04 AM, Rory O'Donnell wrote:
Hi Rick,
Early Access b144 <https://jdk9.java.net/jigsaw/> (#5709) for JDK 9
with Project Jigsaw is available on java.net, summary of changes are
listed here.
<http://www.java.net/download/java/jigsaw/archive/144/binaries/jdk-9+144.html>
Early Access b144 <https://jdk9.java.net/download/> for JDK 9 is
available on java.net, summary of changes are listed here
<http://www.java.net/download/java/jdk9/changes/jdk-9+144.html>.
There have been a number of fixes to bugs reported by Open Source
projects since the last availability email :
* JDK-8156149 : Blurry rendering on Windows 7 at 125% screen setting
* JDK-8167431 : tools javac takes too long time to resolve
interface dependency
* JDK-8062810 : infrastructure Examine src.zip in JDK image and
decide if source classes should be organized by module
*Proposal* - latest update
* b142 of JDK 9 with project Jigsaw has the initial
implementation of open modules and open packages as detailed in
the recent proposal for #ReflectiveAccessToNonExportedTypes [1]
*Tool*
Adapted from JEP 277 [2]
* A static analysis tool jdeprscan has been provided that scans a
jar file (or some other aggregation of class files) for uses of
deprecated API elements.
*Schedule*
* The proposed JDK 9 schedule has been adopted and posted on the
Open JDK 9 Project Page [3]
Rgds,Rory
[1]
http://mail.openjdk.java.net/pipermail/jpms-spec-experts/2016-October/000430.html
[2] http://openjdk.java.net/jeps/277
[3] http://openjdk.java.net/projects/jdk9/
--
Rgds,Rory O'Donnell
Quality Engineering Manager
Oracle EMEA , Dublin, Ireland
#! /bin/bash
#
# Compile and run the PTest program
java -version
policyFile=PTest.policy
curDir=`pwd`
cd ..
jarFile=`pwd`/PTest.jar
cd $curDir
echo Compile the test and jar it up...
javac PTest.java
jar cf $jarFile PTest*.class
echo Run the test in setup mode, creating a subdirectory and policy file...
java -cp $jarFile PTest $curDir $jarFile $policyFile
echo Policy file is...
cat $policyFile
echo Now run the experiment under a security manager...
java -cp $jarFile -Djava.security.manager -Djava.security.policy=$policyFile
PTest $curDir
import java.io.File;
import java.io.PrintWriter;
import java.io.IOException;
import java.security.AccessController;
import java.security.ProtectionDomain;
import java.security.PrivilegedAction;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.text.MessageFormat;
public class PTest
{
private static final String SUB_DIR = "ptestdir";
private static final String FILE_TO_READ = "zdummy.txt";
private static final String POLICY_FILE_NAME = "PTest.policy";
private static final String POLICY_FILE =
"grant codeBase \"file:JAR_FILE\" {\n" +
" permission java.io.FilePermission \"CUR_DIR/" + SUB_DIR + "/-\",
\"write\";\n" +
" permission java.io.FilePermission \"CUR_DIR/" + SUB_DIR + "/-\",
\"read\";\n" +
"};\n";
public static void main(String... args) throws Exception
{
File currentDirectory = new File(args[0]);
boolean setupMode = (args.length > 1);
if (setupMode)
{
File jarFile = new File(args[1]);
File policyFile = new File(args[2]);
setup(currentDirectory, jarFile, policyFile);
}
else
{
File subdir = new File(currentDirectory, SUB_DIR);
File fileToRead = new File(subdir, FILE_TO_READ);
checkFileExists(fileToRead.getAbsolutePath());
}
}
private static void setup
(File currentDirectory, File jarFile, File policyFile)
throws Exception
{
// create the subdirectory
File subdir = new File(currentDirectory, SUB_DIR);
subdir.mkdir();
String policyFileContents = POLICY_FILE
.replace("JAR_FILE", jarFile.getAbsolutePath())
.replace("CUR_DIR", currentDirectory.getAbsolutePath());
writePolicyFile(policyFile, policyFileContents);
}
private static void writePolicyFile(File policyFile, String contents) throws
Exception
{
PrintWriter pw = new PrintWriter(policyFile);
pw.println(contents);
pw.flush();
pw.close();
}
private static void checkFileExists(final String fileName)
{
try
{
boolean fileExists =
(
AccessController.doPrivileged
(
new PrivilegedExceptionAction<Boolean>()
{
public Boolean run()
throws SecurityException, IOException
{
println("Checking for existence of " + fileName);
File f = new File(fileName);
boolean exists = f.exists();
return exists;
}
}
)
);
println("'" + fileName + "' exists = " + fileExists);
}
catch (Throwable t) { printThrowable(t); }
}
private static void printThrowable(Throwable t)
{
println("Caught a " + t.getClass().getName() + " bearing this message: " +
t.getMessage());
}
private static void println(String text) { System.out.println(text); }
}