[
https://issues.apache.org/jira/browse/BROOKLYN-46?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14090833#comment-14090833
]
Sam Corbett commented on BROOKLYN-46:
-------------------------------------
I'll add that I took a quick look at this a while ago and had difficulty
getting Java to set permissions on files correctly. I can't remember the exact
issue that prevented me from fixing the issue fully. I came up with this:
{code}
private File getTmpFile(File file) {
File tmpFile = new File(file.getParentFile(), file.getName()+".tmp");
// (false, false) then (true, true) pattern disables the permission for
everybody then
// re-enables it for the owner only.
boolean setRead = tmpFile.setReadable(false, false) &&
tmpFile.setReadable(true, true),
setWrite = tmpFile.setWritable(false, false) &&
tmpFile.setWritable(true, true),
setExec = tmpFile.setExecutable(false, false);
if (!setRead || !setWrite || !setExec) {
System.out.println(String.format("Setting permissions of %s to
read-write for owner only failed. " +
"setRead=%s, setWrite=%s, setExecutable=%s",
new Object[]{tmpFile.getAbsolutePath(), setRead, setWrite,
setExec}));
} else {
System.out.println("Correct permissions set on: " +
tmpFile.getAbsolutePath());
}
return tmpFile;
}
{code}
> Files created by persistence mechanism should not be readable by other users
> ----------------------------------------------------------------------------
>
> Key: BROOKLYN-46
> URL: https://issues.apache.org/jira/browse/BROOKLYN-46
> Project: Brooklyn
> Issue Type: Bug
> Reporter: Sam Corbett
> Assignee: Aled Sage
>
> Originally reported at:
> https://github.com/brooklyncentral/brooklyn/issues/1240
> Files containing persisted state have permissions 644. Files containing
> persisted locations contain private key data. Other users should not be able
> to read this data. We should follow ssh's practice and restrict access to the
> user that owns the private key.
> {code}
> $ su otheruser
> $ ls -l /Users/sam/.brooklyn/brooklyn-persisted-state/data/locations
> total 112
> -rw-r--r-- 1 sam staff 2319 10 Mar 10:38 BhIXCfBt
> -rw-r--r-- 1 sam staff 2317 10 Mar 10:38 FktCwLnX
> ...
> $ cat /Users/sam/.brooklyn/brooklyn-persisted-state/data/locations/BhIXCfBt
> <location>
> <brooklynVersion>0.7.0-SNAPSHOT</brooklynVersion>
> <type>brooklyn.location.basic.SshMachineLocation</type>
> <id>BhIXCfBt</id>
> <displayName>SshMachineLocation:BhIX</displayName>
> <children/>
> <locationConfig>
> <longitude type="double">-77.48750305175781</longitude>
> <port type="int">22</port>
> <latitude type="double">39.043701171875</latitude>
> <user>sam</user>
> <privateKeyData>-----BEGIN RSA PRIVATE KEY-----
> ... :-(
> {code}
--
This message was sent by Atlassian JIRA
(v6.2#6252)
