英文:
How to check if a file is owned by the current user in Java?
问题
如果读取一个不属于启动JVM的用户的文件,我想要显示警告。
在我的应用程序中,该文件可以使程序写入任意文件。因此,我希望降低特权升级攻击的风险,如果管理员处理这个文件。
```java
Files.getOwner(path)
返回表示文件所有者的UserPrincipal。但我找不到一个平台独立的方法来检查这个UserPrincipal是否与当前用户匹配。
我可以使用
System.getProperty("user.name")
来获取当前用户并尝试匹配名称。但这些属性可以被篡改,如果文件所有者是一个组,这种方法不起作用,例如。
<details>
<summary>英文:</summary>
I want to show a warning if a file is read that is not owned by the user that started the JVM.
In my application, this file can make the program write arbitrary files. So I want to reduce the risk of a privilege escalation attack, if an admin processes this file.
```java
Files.getOwner(path)
retruns a UserPrincipal that represents the file owner. But I can't find a platform independent way to check if this UserPrincipal matches the current user.
I could use
System.getProperty("user.name")
to get the current user and try to match the names. But these properties can be manipulated and this doesn't work if the file owner is a group, for example.
答案1
得分: 1
如果您可以可靠地确定文件的所有者,但不能确定进程的所有者,我们可以将这两者结合起来:创建一个临时文件,获取所有者,然后删除文件。
File tempFile = File.createTempFile("MyAppName-", ".tmp");
UserPrincipal u = Files.getOwner(tempFile.toPath());
tempFile.deleteOnExit();
tempFile.delete();
// UserPrincipal u 将包含当前进程的用户。
英文:
If you can reliably tell the owner of a file but not the owner of the process we could combine those two: create a temporary file, get the owner and remove the file again.
File tempFile = File.createTempFile("MyAppName-", ".tmp");
UserPrincipal u = Files.getOwner(tempFile.toPath());
tempFile.deleteOnExit();
tempFile.delete();
// UserPrincipal u will contain the current process user.
答案2
得分: 0
以下是已翻译的内容:
如果您已经拥有文件所有者的主体,问题将是如何可靠地获取正在运行应用程序的当前用户。
也许这个解决方案可以帮助?然而,它似乎使用了Spring Security:https://www.javaguides.net/2019/06/spring-security-get-current-logged-in-user-details.html
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
UserDetails userDetails = (UserDetails) authentication.getPrincipal();
// getUsername() - 返回用于认证用户的用户名。
System.out.println("用户名:" + userDetails.getUsername());
// getAuthorities() - 返回授予用户的权限。
System.println("用户拥有权限:" + userDetails.getAuthorities());
英文:
If you already have a principal of the file owner, the question would remain how to reliably get the current user running the application.
Maybe this solution can help? However it seems to make use of Sprint security: https://www.javaguides.net/2019/06/spring-security-get-current-logged-in-user-details.html
Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
UserDetails userDetails = (UserDetails) authentication.getPrincipal();
// getUsername() - Returns the username used to authenticate the user.
System.out.println("User name: " + userDetails.getUsername());
// getAuthorities() - Returns the authorities granted to the user.
System.out.println("User has authorities: " + userDetails.getAuthorities());
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论