Summary: | Ant may still use java.io.tmp as tmp directory | ||
---|---|---|---|
Product: | Ant | Reporter: | Sourabh Sarvotham Parkala <sourabh.sarvotham.parkala> |
Component: | Core | Assignee: | Ant Notifications List <notifications> |
Status: | RESOLVED WONTFIX | ||
Severity: | normal | ||
Priority: | P2 | ||
Version: | 1.9.15 | ||
Target Milestone: | --- | ||
Hardware: | PC | ||
OS: | All |
Description
Sourabh Sarvotham Parkala
2020-08-07 13:54:14 UTC
Actually, java.io.tmpdir is our best bet for finding a writable directory. Some time in the past we created temporary files inside of the current working directory rather than the system tempdir and had to change that as in some contexts the CWD was unwritable. Think CI system using read-only containers that only mount the build tree. Most Ant tasks create temporary files inside of the build tree, but not all of them. When we fixed CVE-2020-1945 we discussed making all tasks ensure they write to the build directory but not all places that create temporary files actually know the concept of a "build directory". So any such solution would have been partial. Current master will set up a user-specific 700 permission temp directory inside of java.io.tmpdir if this is possible. But this really still is a kludge and won't work on Windows. Therefore the best approach is and remains the user sets up a directory with proper permissions before starting Ant. Hello Stefan, Thank you for the response. As I understand, creating a tmp folder in random locations is creating an access permission issue. This is even more restrictive when using Apache Ant in Windows OS. Please correct me if I am wrong. However a suggestion, Have you considered using "~/" USER_HOME folder for this tmp directory creation? Would USER_HOME folder serve your purpose and allow appropriate access folder permissions after creation of tmp directory for Ant use? Just a thought. Please let me know, if this is something to be considered Thanks Sourabh There are cases, where the users home directory is not writable by Ant. The most simple example are docker containers with read-only mounted filesystems as can be found in certain CI systems. There is no location we could come up with that would be reasonably secure and we'd be sure we could write to at the same time. This really is heavily dependent on the environment in question and so we've decided to leave full control in the hands of the people who know the environment. If you want to enforce people to use the home directory you could define ANT_OPTS as a system environment variable, I guess. Of course people would be able to override that. |