SEI CERT Oracle Coding Standard for Java

Space shortcuts

Page tree

Versions Compared

Old Version 47

changes.mady.by.user David Svoboda

Saved on

compared with

New Version 48

changes.mady.by.user Robert Seacord

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Programs must comply with the principle of least privilege not only by providing privileged blocks with the minimum permissions required for correct operation (see SEC50-JG. Avoid granting excess privileges), but also by ensuring that privileged blocks contain code contains only those operations that require the increased privileges. Superfluous code contained within a privileged block necessarily operates with the privileges of that block; this increases increasing the potential attack surface exposed to an attacker. Consequently, privileged blocks must not contain superfluous code.

Noncompliant Code Example

This noncompliant code example shows a changePassword() method that attempts to open a password file using within a doPrivileged block. The doPrivileged block also contains logic that operates on the file and a superfluous System.loadLibrary() call.

Code Block
bgColor#FFcccc
public void changePassword() {
  final FileInputStream f[] = { null };

  AccessController.doPrivileged(new PrivilegedAction() {
    public Object run() {
      try {
        String passwordFile = System.getProperty("user.dir") + File.separator
            + "PasswordFileName";
        f[0] = new FileInputStream(passwordFile);                                                     
        // Operate on the file ...
        System.loadLibrary("LibName");
      } catch (FileNotFoundException cnf) {
        // Forward to handler
      }
      return null;
    }
  }); // end of doPrivileged()
}

This example violates the principle of least privilege because a caller who does not have the required privileges may also be able to cause the because an unprivileged caller will also cause the specified library to be loaded.

Compliant Solution

This compliant solution moves the call to System.loadLibrary() outside the doPrivileged() block.

Code Block
bgColor#ccccff
public void changePassword() {
  final FileInputStream f[] = { null };

  AccessController.doPrivileged(new PrivilegedAction() {
    public Object run() {
      try {
        String passwordFile = System.getProperty("user.dir") + File.separator
            + "PasswordFileName";
        f[0] = new FileInputStream(passwordFile);                                                     
      } catch (FileNotFoundException cnf) {
        // Forward to handler
      }
      return null;
    }
  });  // end of doPrivileged()
  // Operations on the file using handle f[0]
  // while ensuring that the f[0] reference     
  // remains contained within changePassword()
  System.loadLibrary("LibName");
}

...

Minimizing the amount of code that requires elevated privileges eases the necessary task of auditing privileged code.

Applicability

Failure to follow the principle of least privilege can lead to privilege escalation.

Related Guidelines

ISO/IEC TR 24772:2010

"Privilege Sandbox Issues [XYO]"

MITRE CWE

CWE ID 272, "Least Privilege Violation"

Bibliography

[API 2011]

Class AccessController

...