如何在Java中检查文件是否由当前用户拥有?

huangapple go评论72阅读模式
英文:

How to check if a file is owned by the current user in Java?

问题

如果读取一个不属于启动JVM的用户的文件我想要显示警告

在我的应用程序中该文件可以使程序写入任意文件因此我希望降低特权升级攻击的风险如果管理员处理这个文件

```java
Files.getOwner(path)

返回表示文件所有者的UserPrincipal。但我找不到一个平台独立的方法来检查这个UserPrincipal是否与当前用户匹配。

我可以使用

System.getProperty("user.name")

来获取当前用户并尝试匹配名称。但这些属性可以被篡改,如果文件所有者是一个组,这种方法不起作用,例如。


<details>
<summary>英文:</summary>

I want to show a warning if a file is read that is not owned by the user that started the JVM.

In my application, this file can make the program write arbitrary files. So I want to reduce the risk of a privilege escalation attack, if an admin processes this file.

```java
Files.getOwner(path)

retruns a UserPrincipal that represents the file owner. But I can't find a platform independent way to check if this UserPrincipal matches the current user.

I could use

System.getProperty(&quot;user.name&quot;)

to get the current user and try to match the names. But these properties can be manipulated and this doesn't work if the file owner is a group, for example.

答案1

得分: 1

如果您可以可靠地确定文件的所有者,但不能确定进程的所有者,我们可以将这两者结合起来:创建一个临时文件,获取所有者,然后删除文件。

File tempFile = File.createTempFile("MyAppName-", ".tmp");
UserPrincipal u = Files.getOwner(tempFile.toPath());
tempFile.deleteOnExit();
tempFile.delete();

// UserPrincipal u 将包含当前进程的用户。
英文:

If you can reliably tell the owner of a file but not the owner of the process we could combine those two: create a temporary file, get the owner and remove the file again.

File tempFile = File.createTempFile(&quot;MyAppName-&quot;, &quot;.tmp&quot;);
UserPrincipal u = Files.getOwner(tempFile.toPath());
tempFile.deleteOnExit();
tempFile.delete();

// UserPrincipal u will contain the current process user.

答案2

得分: 0

以下是已翻译的内容:

如果您已经拥有文件所有者的主体,问题将是如何可靠地获取正在运行应用程序的当前用户。

也许这个解决方案可以帮助?然而,它似乎使用了Spring Security:https://www.javaguides.net/2019/06/spring-security-get-current-logged-in-user-details.html

Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
UserDetails userDetails = (UserDetails) authentication.getPrincipal();

// getUsername() - 返回用于认证用户的用户名。
System.out.println("用户名:" + userDetails.getUsername());

// getAuthorities() - 返回授予用户的权限。
System.println("用户拥有权限:" + userDetails.getAuthorities());
英文:

If you already have a principal of the file owner, the question would remain how to reliably get the current user running the application.

Maybe this solution can help? However it seems to make use of Sprint security: https://www.javaguides.net/2019/06/spring-security-get-current-logged-in-user-details.html

Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
UserDetails userDetails = (UserDetails) authentication.getPrincipal();

// getUsername() - Returns the username used to authenticate the user.
System.out.println(&quot;User name: &quot; + userDetails.getUsername());

// getAuthorities() - Returns the authorities granted to the user.
System.out.println(&quot;User has authorities: &quot; + userDetails.getAuthorities());

huangapple
  • 本文由 发表于 2023年3月20日 23:46:32
  • 转载请务必保留本文链接:https://go.coder-hub.com/75792431.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定