[jruby-dev] [jira] Created: (JRUBY-4937) File.open with permissions has sideffect of clearing umask

Thu, 15 Jul 2010 00:00:48 -0700 

File.open with permissions has sideffect of clearing umask
----------------------------------------------------------

                 Key: JRUBY-4937
                 URL: http://jira.codehaus.org/browse/JRUBY-4937
             Project: JRuby
          Issue Type: Bug
    Affects Versions: JRuby 1.5.1
         Environment: Linux 2.6.33.6-147.fc13.x86_64 #1 SMP x86_64
jruby 1.5.1 (ruby 1.8.7 patchlevel 249) (2010-06-06 f3a3480) (Java HotSpot(TM) 
Server VM 1.6.0_21) [i386-java]
jruby 1.5.1 (ruby 1.8.7 patchlevel 249) (2010-07-14 f3a3480) (Java HotSpot(TM) 
64-Bit Server VM 1.6.0_21) [amd64-java]

            Reporter: David Kellum
            Assignee: Thomas E Enebo


Its been bothering for a while that my gems have been getting installed world 
writtable. Not the best security.  Using strace I was able to see that the 
jruby process was actually calling:

umask(0)

which drops the normal 0002 or 0022 umask that would normally prevent world 
writable files/directories (i.e 0666/0777). I was then able to simplify it to 
the following test code:

{noformat}
require 'fileutils'
include FileUtils

# Cleanup old test files just in case
rm_rf %w[ out.0 out.1.0644 out.2 ]

File.umask( 0172 ) # Set umask to fixed weird test value

open( "out.0",      'w'       ) { |f| f.puts File.umask }
open( "out.1.0644", 'w', 0707 ) { |f| f.puts File.umask }
open( "out.2",      'w'       ) { |f| f.puts File.umask }
{noformat}

Here is output MRI vs JRuby 1.5.1:

{noformat}
% ruby test.rb && ll out* && cat out*
-rw----r--. 1 david david 4 Jul 14 21:43 out.0
-rw----r-x. 1 david david 4 Jul 14 21:43 out.1.0644*
-rw----r--. 1 david david 4 Jul 14 21:43 out.2
122
122
122

% jruby test.rb && ll out* && cat out*
-rw----r--. 1 david david 4 Jul 14 21:43 out.0
-rw----r-x. 1 david david 2 Jul 14 21:43 out.1.0644*
-rw-rw-rw-. 1 david david 2 Jul 14 21:43 out.2
122
0
0
{noformat}

As you can see, after calling open( "out.1.0644", 'w', 0707 ), the umask is 
lost in jruby and results in a 666 out.2 file, unlike MRI.

Here is the culprit:

RubyFile:519: .sysopenInternal() [bac8e827]
int umask = getRuntime().getPosix().umask(0);
perm = perm - (perm & umask);

I'm sure this was put in place to work around some other java quirk with regard 
to Unix and umask. But note that umask(0) not only gets the current umask, but 
sets the umask to 0.
















-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe from this list, please visit:

    http://xircles.codehaus.org/manage_email

Reply via email to