javaniofile-ownership

How to check if a file is owned by the current user in Java?


I want to show a warning if a file is read that is not owned by the user that started the JVM.

In my application, this file can make the program write arbitrary files. So I want to reduce the risk of a privilege escalation attack, if an admin processes this file.

Files.getOwner(path)

retruns a UserPrincipal that represents the file owner. But I can't find a platform independent way to check if this UserPrincipal matches the current user.

I could use

System.getProperty("user.name")

to get the current user and try to match the names. But these properties can be manipulated and this doesn't work if the file owner is a group, for example.


Solution

  • If you can reliably tell the owner of a file but not the owner of the process we could combine those two: create a temporary file, get the owner and remove the file again.

    File tempFile = File.createTempFile("MyAppName-", ".tmp");
    UserPrincipal u = Files.getOwner(tempFile.toPath());
    tempFile.deleteOnExit();
    tempFile.delete();
    
    // UserPrincipal u will contain the current process user.