Opening a Java Archive (.JAR) file executes it regardless of the "executable" permission bit

Thank you for your suggestion. However, the changes you are requesting aren't really a bug and require more discussion, which should be done on an appropriate mailing list or forum. http://www.ubuntu.com/support/community/mailinglists might be a good start for determining which mailing list to use.

There are a couple additional comments I would like add:
* The program isn't technically executing as the result of a +x flag or anything like that, nautilus is actually calling a helper application and running it that way.
* naitilus can be set to open the file rather then run it if you go into the configuration, I believe the out of the box behaviour that they want is to have the file run.
* Java is generally pretty safe (although I am sure someone will post something to prove otherwise). Even if a malicious file was run the hopes are that the user isn't running the file as root (he/she would have to enter a password regardless) so the whole system would be affected...

I am wishlisting this issue as it is a valid one and I can see the reasoning from both sides.

> * Java is generally pretty safe (although I am sure someone will post something to prove otherwise). Even if a malicious file was run the hopes are that the user isn't running the file as root (he/she would have to enter a password regardless) so the whole system would be affected...

Java *applets* are pretty safe. Java *applications* can do anything
any other program can do.

Ubuntu should not execute programs that lack execute bits. Wine applications need to be made executable, and the same should be true for Java.

What exactly executes? If a .java file is marked as executable and I type in the name at a CLI prompt it will not execute, neither will a .jar file. I understand that nautilus executes the file when it's clicked on, but what's the difference between a python script being ran when clicked on, or even a wine launcher. I am going to mark this as low priority and will check with the bug-control team on this one.

Okay this is what I did for this issue so far. I have reported this issue up stream asking what there opinion is of what was reported. This bug has been marked a "low" priority as per the priority guidelines for triaging (as it does not affect a critical system or inhibit a piece of software).

I will be monitoring this bug for activity and will update this bug once the upstream developers have commented.

Thanks,

Richard Seguin

Richard,

You're confusing things. You can not execute .java files, that's
source code. It must be compiled into byte code (.class files).
Executable .jar archive will contain one or more .class files. For
the purpose of this bug, the byte code can be thought of as machine
code.

There is no difference between a Python script or Perl script, or any
other script file that can execute arbitrary commands, java byte code,
or a binary executable: If the execute permission is not set, neither
one of them is permitted to execute.

Jan.

On Sun, Jan 25, 2009 at 22:03, Richard Seguin
<email address hidden> wrote:
> What exactly executes? If a .java file is marked as executable and I
> type in the name at a CLI prompt it will not execute, neither will a
> .jar file. I understand that nautilus executes the file when it's
> clicked on, but what's the difference between a python script being ran
> when clicked on, or even a wine launcher. I am going to mark this as low
> priority and will check with the bug-control team on this one.
>
>
> ** Changed in: nautilus (Ubuntu)
> Importance: Medium => Low
>
> --
> Opening a Java Archive (.JAR) file executes it regardless of the "executable" permission bit
> https://bugs.launchpad.net/bugs/313439
> You received this bug notification because you are a direct subscriber
> of the bug.
>
> Status in "nautilus" source package in Ubuntu: Confirmed
>
> Bug description:
> Binary package hint: nautilus
>
> 1) The release of Ubuntu you are using, via 'lsb_release -rd' or System -> About Ubuntu.
>
> Description: Ubuntu 8.04.1
> Release: 8.04
>
> 2) The version of the package you are using, via 'apt-cache policy packagename' or by checking in Synaptic.
>
> N/A
>
> 3) What you expected to happen
>
> Let's have a Java Archive (.JAR) file on the Desktop (default Gnome GUI). The archive has the execute permission bits cleared (chmod 640). When the archive icon is double-clicked, the archive contents should be displayed in the Archive Manager. Under no circumstances code contained in the archive should be executed. Opening files should be safe, regardless of their contents.
>
>
> 4) What happened instead
>
> The archive is nevertheless executed (presumably, java -jar <archive name> is called).
>
>
> 5) Security implication
>
> User can be tricked into executing arbitrary code by opening an innocuously-looking file. This is similar to the MS-Word macro virus attacks, or a Vim modeline attacks.
>
> 6) Example scenario
>
> Firefox downloads to Desktop by default. User can specify some file types to be downloaded automatically. It is reasonable to expect such files would be later opened by double-clicking on their Desktop icons. The file type does not (necessarily) correspond to the extension; the file name, including the extension, is fully under the control of the attacker. Firefox will save the file with the file name specified. When user double-clicks the archive they just downloaded, they expect the contents to be displayed. Instead, the code supplied by the attacker will be executed.
>
> 7) Workaround
>
> It is possible to change this default behaviour by changing the file association: right cl...

Hey Jan,

Yeah sorry my programming skills are not the best in the world so I do get a
bit confused. So what your saying is that even if the executable bit is
not set nautilus will execute it regardless right? I have already forwarded
the bug up stream so I will update the ticket clarifying later in the day.

On Sun, Jan 25, 2009 at 10:10 PM, Jan Minář <email address hidden> wrote:

> Richard,
>
> You're confusing things. You can not execute .java files, that's
> source code. It must be compiled into byte code (.class files).
> Executable .jar archive will contain one or more .class files. For
> the purpose of this bug, the byte code can be thought of as machine
> code.
>
> There is no difference between a Python script or Perl script, or any
> other script file that can execute arbitrary commands, java byte code,
> or a binary executable: If the execute permission is not set, neither
> one of them is permitted to execute.
>
> Jan.
>
> On Sun, Jan 25, 2009 at 22:03, Richard Seguin
> <email address hidden> wrote:
> > What exactly executes? If a .java file is marked as executable and I
> > type in the name at a CLI prompt it will not execute, neither will a
> > .jar file. I understand that nautilus executes the file when it's
> > clicked on, but what's the difference between a python script being ran
> > when clicked on, or even a wine launcher. I am going to mark this as low
> > priority and will check with the bug-control team on this one.
> >
> >
> > ** Changed in: nautilus (Ubuntu)
> > Importance: Medium => Low
> >
> > --
> > Opening a Java Archive (.JAR) file executes it regardless of the
> "executable" permission bit
> > https://bugs.launchpad.net/bugs/313439
> > You received this bug notification because you are a direct subscriber
> > of the bug.
> >
> > Status in "nautilus" source package in Ubuntu: Confirmed
> >
> > Bug description:
> > Binary package hint: nautilus
> >
> > 1) The release of Ubuntu you are using, via 'lsb_release -rd' or System
> -> About Ubuntu.
> >
> > Description: Ubuntu 8.04.1
> > Release: 8.04
> >
> > 2) The version of the package you are using, via 'apt-cache policy
> packagename' or by checking in Synaptic.
> >
> > N/A
> >
> > 3) What you expected to happen
> >
> > Let's have a Java Archive (.JAR) file on the Desktop (default Gnome GUI).
> The archive has the execute permission bits cleared (chmod 640). When the
> archive icon is double-clicked, the archive contents should be displayed in
> the Archive Manager. Under no circumstances code contained in the archive
> should be executed. Opening files should be safe, regardless of their
> contents.
> >
> >
> > 4) What happened instead
> >
> > The archive is nevertheless executed (presumably, java -jar <archive
> name> is called).
> >
> >
> > 5) Security implication
> >
> > User can be tricked into executing arbitrary code by opening an
> innocuously-looking file. This is similar to the MS-Word macro virus
> attacks, or a Vim modeline attacks.
> >
> > 6) Example scenario
> >
> > Firefox downloads to Desktop by default. User can specify some file
> types to be downloaded automatically. It is reasonable to expect such files
> would be la...

Yes, the code is executed regardless of the executable bit.

Thanks for reporting this upstream; I have read the upstream bug
report, and I think the it is fine.

On Mon, Jan 26, 2009 at 12:17, Richard Seguin
<email address hidden> wrote:
> Hey Jan,
>
> Yeah sorry my programming skills are not the best in the world so I do get a
> bit confused. So what your saying is that even if the executable bit is
> not set nautilus will execute it regardless right? I have already forwarded
> the bug up stream so I will update the ticket clarifying later in the day.
>
> On Sun, Jan 25, 2009 at 10:10 PM, Jan Minář <email address hidden> wrote:
>
>> Richard,
>>
>> You're confusing things. You can not execute .java files, that's
>> source code. It must be compiled into byte code (.class files).
>> Executable .jar archive will contain one or more .class files. For
>> the purpose of this bug, the byte code can be thought of as machine
>> code.
>>
>> There is no difference between a Python script or Perl script, or any
>> other script file that can execute arbitrary commands, java byte code,
>> or a binary executable: If the execute permission is not set, neither
>> one of them is permitted to execute.
>>
>> Jan.
>>
>> On Sun, Jan 25, 2009 at 22:03, Richard Seguin
>> <email address hidden> wrote:
>> > What exactly executes? If a .java file is marked as executable and I
>> > type in the name at a CLI prompt it will not execute, neither will a
>> > .jar file. I understand that nautilus executes the file when it's
>> > clicked on, but what's the difference between a python script being ran
>> > when clicked on, or even a wine launcher. I am going to mark this as low
>> > priority and will check with the bug-control team on this one.
>> >
>> >
>> > ** Changed in: nautilus (Ubuntu)
>> > Importance: Medium => Low
>> >
>> > --
>> > Opening a Java Archive (.JAR) file executes it regardless of the
>> "executable" permission bit
>> > https://bugs.launchpad.net/bugs/313439
>> > You received this bug notification because you are a direct subscriber
>> > of the bug.
>> >
>> > Status in "nautilus" source package in Ubuntu: Confirmed
>> >
>> > Bug description:
>> > Binary package hint: nautilus
>> >
>> > 1) The release of Ubuntu you are using, via 'lsb_release -rd' or System
>> -> About Ubuntu.
>> >
>> > Description: Ubuntu 8.04.1
>> > Release: 8.04
>> >
>> > 2) The version of the package you are using, via 'apt-cache policy
>> packagename' or by checking in Synaptic.
>> >
>> > N/A
>> >
>> > 3) What you expected to happen
>> >
>> > Let's have a Java Archive (.JAR) file on the Desktop (default Gnome GUI).
>> The archive has the execute permission bits cleared (chmod 640). When the
>> archive icon is double-clicked, the archive contents should be displayed in
>> the Archive Manager. Under no circumstances code contained in the archive
>> should be executed. Opening files should be safe, regardless of their
>> contents.
>> >
>> >
>> > 4) What happened instead
>> >
>> > The archive is nevertheless executed (presumably, java -jar <archive
>> name> is called).
>> >
>> >
>> > 5) Security implication
>> >
>> > User can be tricked into executing arbitr...

comment from upstream:
"does it also happen if you do "gvfs-open /path/to/file.jar"?
I suspect it's just that you have a desktop file installed by java that
associates the mime type to this action.
"

I installed the gvfs-bin package, and tried:

    gvfs-open /path/to/foo.jar

and it indeed executes the JAR contents.

What do you mean by ``desktop file installed by java''?

On Wed, Jan 28, 2009 at 13:58, Pedro Villavicencio <email address hidden> wrote:
> comment from upstream:
> "does it also happen if you do "gvfs-open /path/to/file.jar"?
> I suspect it's just that you have a desktop file installed by java that
> associates the mime type to this action.
> "
>
> ** Changed in: nautilus (Ubuntu)
> Assignee: (unassigned) => Ubuntu Desktop Bugs (desktop-bugs)
> Status: Confirmed => Incomplete
>
> ** Changed in: nautilus
> Bugwatch: GNOME Bug Tracker #569130 => GNOME Bug Tracker #569129
> Status: Invalid => Unknown
>
> --
> Opening a Java Archive (.JAR) file executes it regardless of the "executable" permission bit
> https://bugs.launchpad.net/bugs/313439
> You received this bug notification because you are a direct subscriber
> of the bug.
>
> Status in Nautilus: Unknown
> Status in "nautilus" source package in Ubuntu: Incomplete
>
> Bug description:
> Binary package hint: nautilus
>
> 1) The release of Ubuntu you are using, via 'lsb_release -rd' or System -> About Ubuntu.
>
> Description: Ubuntu 8.04.1
> Release: 8.04
>
> 2) The version of the package you are using, via 'apt-cache policy packagename' or by checking in Synaptic.
>
> N/A
>
> 3) What you expected to happen
>
> Let's have a Java Archive (.JAR) file on the Desktop (default Gnome GUI). The archive has the execute permission bits cleared (chmod 640). When the archive icon is double-clicked, the archive contents should be displayed in the Archive Manager. Under no circumstances code contained in the archive should be executed. Opening files should be safe, regardless of their contents.
>
>
> 4) What happened instead
>
> The archive is nevertheless executed (presumably, java -jar <archive name> is called).
>
>
> 5) Security implication
>
> User can be tricked into executing arbitrary code by opening an innocuously-looking file. This is similar to the MS-Word macro virus attacks, or a Vim modeline attacks.
>
> 6) Example scenario
>
> Firefox downloads to Desktop by default. User can specify some file types to be downloaded automatically. It is reasonable to expect such files would be later opened by double-clicking on their Desktop icons. The file type does not (necessarily) correspond to the extension; the file name, including the extension, is fully under the control of the attacker. Firefox will save the file with the file name specified. When user double-clicks the archive they just downloaded, they expect the contents to be displayed. Instead, the code supplied by the attacker will be executed.
>
> 7) Workaround
>
> It is possible to change this default behaviour by changing the file association: right click > Open With > select Archive Manager as the default app to open with. However, this is not based on permissions, so one has to right click > Open With > java when one wants to indeed execute the application then.
>
> ProblemType: Bug
> Architecture: amd64
> Date: Sat Jan 3 10:12:45 2009
> DistroRelease: Ubuntu 8.04
> Package: firefox...

It has been determined that mime types/file associations are causing this issue. The same mechanism that opens .html files (which are not executable) also executes .jar files as they are associated with java. In order to specify which type of file should be executed by a mime association would indeed fall under the category of feature request. keep in mind that with this same feature request would come the issue of some users not being able to load .html files or .pdf files or any other file association based upon permissions if implemented.

Suggestion: if .jar files are a major issue for you, then you might want to dis-associate them with java so you don't run into the issue of them executing them when you double click on them.

Marking as wishlist as a result as there is currently no mechanism in place to flag certain mime types as executable.

Looks to me as this bug should be reassigned to the respective package
that holds tose MIME associations? Which one would that be?

The MIME association should test if file is executable, and only
execute it then. May be a broader issue in the MIME associations
file, not just regarding JARs?

Upstream suggests some package has added this association, so it's not
the core MIME package that should be interested, but the particular
package that added the association (one of the Java core packages;
there are so many)?

Still, it would be a good idea to have a system-wide mechanism to
check for the executable permission bit, and depending on it either
run the read association, or the execute association.

On Sat, Jan 31, 2009 at 15:04, Jan Minář <email address hidden> wrote:
> Looks to me as this bug should be reassigned to the respective package
> that holds tose MIME associations? Which one would that be?
>
> The MIME association should test if file is executable, and only
> execute it then. May be a broader issue in the MIME associations
> file, not just regarding JARs?
>

that doesn't seem to be either a GNOME bug or a high priority issue

This doesn't seem like even a valid request. But that's just me.

This report has been flagged for review by the bug-control team.

My proposal here is to do the same thing I'm experimenting with for Wine: have the mime type associate with a new application that checks for the execute bit - if it's there it's passed normally, and if it's not the user gets a "run (and set execute bit) vs cancel" prompt.

On Tue, May 5, 2009 at 00:55, Scott Ritchie <email address hidden> wrote:
> My proposal here is to do the same thing I'm experimenting with for
> Wine: have the mime type associate with a new application that checks
> for the execute bit - if it's there it's passed normally, and if it's
> not the user gets a "run (and set execute bit) vs cancel" prompt.

I agree that an association with a simple script which checks for the
execute bit sounds like a good idea. How do you deal with the race
condition when the file is changed after the executable bit is
checked, and before the file would be executed?

The special execute bit is a feature: random files downloaded from the
Internet have to be granted the execute privilege, explicitly, before
they can execute, and do any damage. Furthermore, there is a
perfectly valid open operation, which is opening the JAR with the
Archive Manager. Executing is accessible via the context menu.

Jan.

I can confirm that /usr/share/applications/sun-java6.desktop has 'application/x-jar' in its list of MimeTypes.

I like Scott Ritchie's suggestion to use a loader that determines what to do. Maybe we could create one loader for .jar-archives, Windows applications and other similar file types.
Should there be tasks opened for the other Java VMs as well? It would seem correct to me since we are moving away from Sun to OpenJDK, but I'm not sure.

I regard this as not a bug. There may be an issue, but the issue is not a bug.

@Kiri Your attitude is not helping.

On Fri, Jun 18, 2010 at 20:13, Kiri <email address hidden> wrote:
> I regard this as not a bug.  There may be an issue, but the issue is not
> a bug.
>
> --
> Opening a Java Archive (.JAR) file executes it regardless of the "executable" permission bit
> https://bugs.launchpad.net/bugs/313439
> You received this bug notification because you are a direct subscriber
> of the bug.
>

I hate to say it but Kiri is right in this case. This sounds more like
somebody who doesn't understand what a jar file actually is. There is no
attitude, just simply a case of somebody who doesn't get what a jar file is
and how it gets executed. I don't get why this bug is even still open...

Just my $0.02.

-Rob

On Fri, Jun 18, 2010 at 3:22 PM, Jan Minář <email address hidden> wrote:

> @Kiri Your attitude is not helping.
>
> On Fri, Jun 18, 2010 at 20:13, Kiri <email address hidden> wrote:
> > I regard this as not a bug. There may be an issue, but the issue is not
> > a bug.
> >
> > --
> > Opening a Java Archive (.JAR) file executes it regardless of the
> "executable" permission bit
> > https://bugs.launchpad.net/bugs/313439
> > You received this bug notification because you are a direct subscriber
> > of the bug.
> >
>
> --
> Opening a Java Archive (.JAR) file executes it regardless of the
> "executable" permission bit
> https://bugs.launchpad.net/bugs/313439
> You received this bug notification because you are a direct subscriber
> of the bug.
>

It doesn't really matter how much you write to the contrary, or how
personal you get, the fact of the matter remains that opening a file
downloaded from the Internet results in arbitrary code execution.

Your opinion is that this is OK.

My opinion is that this is not OK.

(1) The users don't expect this

Regardless of whether the users will agree with your explanation of
why this works the way it does, they will open files downloaded from
the Internet thinking that nothing can happen. Ubuntu has been
reinforcing this attitude, for example by Firefox warning against
opening *executable* files with a scary warning, while opening
non-executable data types seamlessly.

(2) It lowers the barrier for malicious code execution too low

If Ubuntu ever gets a sizable market share, this will get targeted by
malicious code writers, and it will get fixed. No harm in keeping
this bug open for at least that long, is there?

(3) Fix is easy to implement, albeit with some level of hackery

There is always some level of hackery involved when trying to fit a
model to the real world.

(4) We have had this debate before

We have all laughed at people opening e-mail attachments in Outlook or
simply opening documents in Word and getting viruses and what not.
This is not different.

For all these reasons, the bug should be fixed.

On Fri, Jun 18, 2010 at 20:40, Robert O'Connor <email address hidden> wrote:
> I hate to say it but Kiri is right in this case. This sounds more like
> somebody who doesn't understand what a jar file actually is. There is no
> attitude, just simply a case of somebody who doesn't get what a jar file is
> and how it gets executed. I don't get why this bug is even still open...
>
> Just my $0.02.
>
> -Rob
>
>
> On Fri, Jun 18, 2010 at 3:22 PM, Jan Minář <email address hidden> wrote:
>
>> @Kiri Your attitude is not helping.
>>
>> On Fri, Jun 18, 2010 at 20:13, Kiri <email address hidden> wrote:
>> > I regard this as not a bug.  There may be an issue, but the issue is not
>> > a bug.
>> >
>> > --
>> > Opening a Java Archive (.JAR) file executes it regardless of the
>> "executable" permission bit
>> > https://bugs.launchpad.net/bugs/313439
>> > You received this bug notification because you are a direct subscriber
>> > of the bug.
>> >
>>
>> --
>> Opening a Java Archive (.JAR) file executes it regardless of the
>> "executable" permission bit
>> https://bugs.launchpad.net/bugs/313439
>> You received this bug notification because you are a direct subscriber
>> of the bug.
>>
>
> --
> Opening a Java Archive (.JAR) file executes it regardless of the "executable" permission bit
> https://bugs.launchpad.net/bugs/313439
> You received this bug notification because you are a direct subscriber
> of the bug.
>

This has already been solved by adding "cautious-launcher" to .desktop files that have MimeType and Exec lines, in line with the Ubuntu Executable Bit Policy: https://wiki.ubuntu.com/SecurityTeam/Policies#Execute-Permission%20Bit%20Required

$ egrep '^(Exec|MimeType)=' usr/share/applications/sun-java6-java.desktop
Exec=cautious-launcher %f /usr/lib/jvm/java-6-sun-1.6.0.24/bin/java -jar
MimeType=application/x-java-archive;application/java-archive;application/x-jar;

$ egrep '^(Exec|MimeType)=' usr/share/applications/openjdk-6-java.desktop
Exec=cautious-launcher %f /usr/lib/jvm/java-6-openjdk/bin/java -jar
MimeType=application/x-java-archive;application/java-archive;application/x-jar;