I think what we have here is that the call is "secure", providing that the user has the correct umask set up for however the system administrator has set up the groups on their system.
The problem occurs when somebody inadvertently uses a umask like "002", on system where all the users are members of a common group. In that case, the files will be made group writeable (and readable). Of course, this affects files not just in /tmp, but also in any other directory. I guess, it's really the user's responsibility to make sure they are using a sane umask. And there are definitely cases where there may be code written that may depend on the "group readable/writeable" Unix file permissions. Since Java doesn't provide a standard way to chmod files, it might be wrong to take that feature away. On the other hand, many users aren't aware of the existence of umask - it's a slightly more advanced Unix topic. And it is an easy thing to get wrong. How about this for a solution? - we make the default mode "0600", so in default operation, Kaffe will only create files readable/writeable by the user (not group or other). - we provide a property setting (eg. -Dkaffe.filecreatemode=0666) to enable people to create group readable/writable, or any other combination of permissions (providing they also set their umask, of course). Cheers, - Jim On Mon, 2003-03-03 at 07:45, Dalibor Topic wrote: > Hi Jim, hi Mark, > > --- Jim Pick <[EMAIL PROTECTED]> wrote: > > > So, I personally vote for changing the mode to > > "0644" or "0600". > > me too ;) > > > Does anybody else know anything about this issue? > > I've tried to look it up in Sun's bug database, but > there is no information about it, of the 47 > createTempFile related bug reports. > > I've also looked in the Java Class Libraries 2nd Ed > Vol. 1 Supplement, again nothing. > > On the other hand, you can find it mentioned as a java > security problem here: > http://www.networkcomputing.com/1108/1108ws3side1.html?ls=NCJS_1108rt > http://tigerenvelopes.sourceforge.net/Security.html > > cheers, > dalibor topic > > __________________________________________________ > Do you Yahoo!? > Yahoo! Tax Center - forms, calculators, tips, more > http://taxes.yahoo.com/ > > _______________________________________________ > kaffe mailing list > [EMAIL PROTECTED] > http://kaffe.org/cgi-bin/mailman/listinfo/kaffe _______________________________________________ kaffe mailing list [EMAIL PROTECTED] http://kaffe.org/cgi-bin/mailman/listinfo/kaffe
