Bug 1015

Summary: Windows IOUtil.getTempDir(..) Cannot determine executable temp directory
Product: [JogAmp] Gluegen Reporter: Sven Gothel <sgothel>
Component: coreAssignee: Sven Gothel <sgothel>
Status: RESOLVED FIXED    
Severity: major CC: askinner
Priority: ---    
Version: 2   
Hardware: All   
OS: windows   
Type: --- SCM Refs:
9bc3d3f78bb2fb1aa0ccfb02ffb5bdda74420cac
Workaround: ---
Bug Depends on: 865, 1108    
Bug Blocks: 1103, 1109    

Description Sven Gothel 2014-06-06 19:27:01 CEST 
On platform Window, we don't validate whether the temp dir 
for native libraries has executable-access.

On some systems, the TEMP dir only has write-access, 
but no executable-access.

IOUtil.getOSHasNoexecFS() for WINDOWS 
currently returns true, i.e. we don't check executable-access.
We need to return false to perform the check and offer a workaround,
maybe similar to Bug 865.

As is, non executable temp folder will result in an exception like:

+++

Exception in thread "AWT-EventQueue-0" java.lang.UnsatisfiedLinkError: C:\Users\ram dhuley\AppData\Local\Temp\jogamp_0000\file_cache\jln7241190548013054463\jln8954501619229889979\gluegen-rt.dll: Access is denied

+++
Comment 1 Sven Gothel 2014-08-28 07:01:52 CEST 
Test executable permission on Windows via bat file 
(temp dir, like on unix and osx).
    
    Tested on Window 7 and Windows 8.1 using 'Using Software Restriction Policies',
    i.e. disabled sw-execution in TEMP dir.
    
    On Windows we need to add min. shell code, here 'echo off',
    allowing the bat file to be executed if policy allows it.
    
    Reminder: We test the following temp folder
    
    1) java.io.tmpdir/jogamp
    2) $XDG_CACHE_HOME/jogamp
    3) $TMPDIR/jogamp or $TEMP/jogamp
    4) $HOME/.jogamp
    
    +++
    
    Misc:
    
    Proper 'duplicate' validation via 'file1.equals(file2)' test
    using the abstract pathname.
Comment 2 Sven Gothel 2014-09-16 21:53:48 CEST 
Software Restriction Policies
- http://technet.microsoft.com/en-us/library/hh831534.aspx

Software Restriction Policies Technical Overview
- http://technet.microsoft.com/en-us/library/hh994620.aspx

Administer Software Restriction Policies
- http://technet.microsoft.com/en-us/library/hh994606.aspx

On local machine (needs admin account, Win >= 8 professional ?!)
  - http://technet.microsoft.com/en-us/library/hh994606.aspx#BKMK_1

  - Open Control Panel
  - Search and Open: Administrative Tools
  - Open: Local Security Policy
  - Open: Software Restriction Policies

Now create an additional rule, like:
  - Path Rule for C:\Temp\no-exec
  - Security level: Disallowed
Comment 3 Sven Gothel 2014-12-12 01:35:30 CET 
From 'noexec-option-on-ntfs-under-windows' 
  <http://serverfault.com/questions/90135/noexec-option-on-ntfs-under-windows>

"There is no analog to a "noexec" mount for filesystems in Windows. Microsoft's conception of the simple "Read" permission includes the right to execute (since execution really is just the loader reading the image into memory).

You can modify the "Advanced" version of the permission to remove (or deny) "Traverse Folder / Execute File" permission. This will prevent double-click or command-line execution of .EXE files. .BAT and .CMD files will not execute from a double-click in Explorer, but they will still execute from a command prompt or using the syntax "CMD /c " from Start / Run."