...
| Code Block |
|---|
|
public void changePassword() {
final FileInputStream f[] = { null };
AccessController.doPrivileged(new PrivilegedAction() {
public Object run() {
try {
String passwordFile = System.getProperty("user.dir") + File.separator
+ "PasswordFileName";
f[0] = new FileInputStream(passwordFile);
// OperationsOperate on the file ...
System.loadLibrary("LibName");
} catch (FileNotFoundException cnf) {
// Forward to handler
}
return null;
}
}); // end of doPrivileged()
}
|
...
| Wiki Markup |
|---|
This compliant solution removesmoves the call to {{System.loadLibrary()}} outside the {{doPrivileged()}} block. Any operations on the file descriptor {{f\[0\]}} must also occur outside the privileged block to make it easier to audit privileged code. However, {{f\[0\]}} should not leak out to untrusted code (see [SEC02-J. Do not allow doPrivileged() blocks to leak sensitive information outside a trust boundary]). MinimizeTherefore, the "operations on the file" must not allow {{f[0]}} to escape out of {{changePassword()}}. Minimizing the amount of code that requires elevated privileges; this eases the necessary task of auditing privileged code. |
| Code Block |
|---|
|
public void changePassword() {
final FileInputStream f[] = { null };
AccessController.doPrivileged(new PrivilegedAction() {
public Object run() {
try {
String passwordFile = System.getProperty("user.dir") + File.separator
+ "PasswordFileName";
f[0] = new FileInputStream(passwordFile);
} catch (FileNotFoundException cnf) {
// Forward to handler
}
return null;
}
}); // end of doPrivileged()
// Operations on the file using handle f[0]
// while Ensureensuring that the filef[0] reference
// remains contained within changePassword()
System.loadLibrary("LibName");
}
|
Risk Assessment
Failure to follow the principle of least privilege can lead to privilege escalation.
...
