It sounds to me like we need additional means to protect the file permission without canocialization. I am looking forward to seeing the new proposal with appropriate solution for problem Peter raised.
Thanks a lot! 2015-02-09 14:50 GMT+08:00 Wang Weijun <weijun.w...@oracle.com>: > > > On Feb 9, 2015, at 14:42, Peter Levart <peter.lev...@gmail.com> wrote: > > > > Hi Max, > > > > Of course you are aware that by trusting the symlinks, you potentially > give much more permission than you would hope to. Suppose that some code > has permission to read and write into a particular directory (for temporary > files). With this permission the code can actually read and/or write any > file in the filesystem that OS grants access to the java process. Merely by > creating a symlink in the read/write-able directory and accessing the file > through it. That's why Apache HTTP Server by default disables > "FollowSymLinks" option. > > Yes, we will be careful. > > In Java, a LinkPermission is needed to create a link. Of course, there > might be other (existing) symlinks created by other non-Java processes. We > will evaluate this possibility. > > Thanks > Max > >
