public static SimpleImmutableEntry validateStrictKeyFilePermissions()

in sshd-common/src/main/java/org/apache/sshd/common/config/keys/KeyUtils.java [257:331]

• 53 lines of code
• 17 McCabe index (conditional complexity)

    public static SimpleImmutableEntry<String, Object> validateStrictKeyFilePermissions(Path path, LinkOption... options)
            throws IOException {
        if ((path == null) || (!Files.exists(path, options))) {
            return null;
        }

        /*
         * Android permission are not really consistent with standard Linux ones since the device is
         * a "single" user O/S but with each application being a different "user". We therefore assume
         * that if the application has access to a file, then it is good enough since there is really
         * only one user, and we don't have to worry about multi-user access. Furthermore, the SE Linux
         * security available on Android seems to be enough of a safeguard against inadvertent or even
         * malicious access.
         */
        if (OsUtils.isAndroid()) {
            return null;
        }

        Collection<PosixFilePermission> perms = IoUtils.getPermissions(path, options);
        if (GenericUtils.isEmpty(perms)) {
            return null;
        }

        if (perms.contains(PosixFilePermission.OTHERS_EXECUTE)) {
            PosixFilePermission p = PosixFilePermission.OTHERS_EXECUTE;
            return new SimpleImmutableEntry<>(String.format("Permissions violation (%s)", p), p);
        }

        if (OsUtils.isUNIX()) {
            PosixFilePermission p = IoUtils.validateExcludedPermissions(perms, STRICTLY_PROHIBITED_FILE_PERMISSION);
            if (p != null) {
                return new SimpleImmutableEntry<>(String.format("Permissions violation (%s)", p), p);
            }

            if (Files.isRegularFile(path, options)) {
                Path parent = path.getParent();
                p = IoUtils.validateExcludedPermissions(IoUtils.getPermissions(parent, options),
                        STRICTLY_PROHIBITED_FILE_PERMISSION);
                if (p != null) {
                    return new SimpleImmutableEntry<>(String.format("Parent permissions violation (%s)", p), p);
                }
            }
        }

        String owner = IoUtils.getFileOwner(path, options);
        if (GenericUtils.isEmpty(owner)) {
            // we cannot get owner
            // general issue: jvm does not support permissions
            // security issue: specific filesystem does not support permissions
            return null;
        }

        String current = OsUtils.getCurrentUser();
        Set<String> expected = new HashSet<>();
        expected.add(current);
        if (OsUtils.isUNIX()) {
            // Windows "Administrator" was considered however in Windows most likely a group is used.
            expected.add(OsUtils.ROOT_USER);
        }

        if (!expected.contains(owner)) {
            return new SimpleImmutableEntry<>(String.format("Owner violation (%s)", owner), owner);
        }

        if (OsUtils.isUNIX()) {
            if (Files.isRegularFile(path, options)) {
                String parentOwner = IoUtils.getFileOwner(path.getParent(), options);
                if ((!GenericUtils.isEmpty(parentOwner)) && (!expected.contains(parentOwner))) {
                    return new SimpleImmutableEntry<>(String.format("Parent owner violation (%s)", parentOwner), parentOwner);
                }
            }
        }

        return null;
    }