> On Feb 9, 2015, at 14:42, Peter Levart <peter.lev...@gmail.com> wrote: > > Hi Max, > > Of course you are aware that by trusting the symlinks, you potentially give > much more permission than you would hope to. Suppose that some code has > permission to read and write into a particular directory (for temporary > files). With this permission the code can actually read and/or write any file > in the filesystem that OS grants access to the java process. Merely by > creating a symlink in the read/write-able directory and accessing the file > through it. That's why Apache HTTP Server by default disables > "FollowSymLinks" option.
Yes, we will be careful. In Java, a LinkPermission is needed to create a link. Of course, there might be other (existing) symlinks created by other non-Java processes. We will evaluate this possibility. Thanks Max
