Skip to content

Commit

Permalink
Merge pull request #966 from AdoptOpenJDK/fix_restrictedfile_acl_on_w…
Browse files Browse the repository at this point in the history 
…indows

OWS-644, ITW 955 : fix restricted file ACL
  • Loading branch information
@sclassen
sclassen authored Feb 4, 2025
2 parents 39156c1 + 9b83096 commit df3c419
Showing 1 changed file with 44 additions and 5 deletions.
49 changes: 44 additions & 5 deletions core/src/main/java/net/sourceforge/jnlp/util/RestrictedFileUtils.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,12 +23,14 @@

import java.io.File;
import java.io.IOException;
import java.lang.reflect.Method;
import java.nio.file.Files;
import java.nio.file.attribute.AclEntry;
import java.nio.file.attribute.AclEntryFlag;
import java.nio.file.attribute.AclEntryPermission;
import java.nio.file.attribute.AclEntryType;
import java.nio.file.attribute.AclFileAttributeView;
import java.security.Principal;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.LinkedHashSet;
Expand All @@ -48,7 +50,9 @@ public final class RestrictedFileUtils {

private static final Logger LOG = LoggerFactory.getLogger(RestrictedFileUtils.class);

private static final List<String> WIN_ROOT_PRINCIPALS = Arrays.asList("NT AUTHORITY\\SYSTEM", "BUILTIN\\Administrators");
private static final List<String> WIN_PRINCIPAL_SIDS = Arrays.asList(
"S-1-5-18" /*NT AUTHORITY\SYSTEM*/,
"S-1-5-32-544" /*BUILTIN\Administrators*/);

/**
* Creates a new directory with minimum permissions. The directory is not
Expand Down Expand Up @@ -122,10 +126,9 @@ private static void createRestrictedFile(File file, boolean isDir) throws IOExce
// filter ACL's leaving only root and owner
AclFileAttributeView view = Files.getFileAttributeView(tempFile.toPath(), AclFileAttributeView.class);
List<AclEntry> list = new ArrayList<>();
String owner = view.getOwner().getName();
for (AclEntry ae : view.getAcl()) {
String principalName = ae.principal().getName();
if (WIN_ROOT_PRINCIPALS.contains(principalName) || owner.equals(principalName)) {
if (principalInWinSIDS(ae.principal())) {
LOG.debug("Allowing permissions on restricted file {} for principal {} : {} ", tempFile.getAbsolutePath(), ae.principal().getName(), getSIDForPrincipal(ae.principal()));
list.add(AclEntry.newBuilder()
.setType(AclEntryType.ALLOW)
.setPrincipal(ae.principal())
Expand All @@ -134,7 +137,14 @@ private static void createRestrictedFile(File file, boolean isDir) throws IOExce
.build());
}
}

// Add permissions for the owner
LOG.debug("Allowing permissions on restricted file {} for principal {} : {} ", tempFile.getAbsolutePath(), view.getOwner().getName(), getSIDForPrincipal(view.getOwner()));
list.add(AclEntry.newBuilder()
.setType(AclEntryType.ALLOW)
.setPrincipal(view.getOwner())
.setPermissions(permissions)
.setFlags(flags)
.build());
// apply ACL
view.setAcl(list);
} else {
Expand Down Expand Up @@ -189,4 +199,33 @@ private static void createFileOrDir(File file, boolean isDir) throws IOException
}
}
}

public static boolean principalInWinSIDS(Principal principal) {
return WIN_PRINCIPAL_SIDS.contains(getSIDForPrincipal(principal));
}

public static String getSIDForPrincipal(Principal principal) {
try {
Method method = findMethod(principal.getClass(), "sidString");
if (method != null) {
method.setAccessible(true);
return (String) method.invoke(principal);
}
} catch (Exception e) {
LOG.debug("No SID for {}", principal.getName());
}
return "";
}

private static Method findMethod(Class<?> clazz, String methodName) {
while (clazz != null) {
try {
Method method = clazz.getDeclaredMethod(methodName);
return method;
} catch (NoSuchMethodException e) {
clazz = clazz.getSuperclass();
}
}
return null;
}
}

0 comments on commit df3c419

Please sign in to comment.