Bug 1015 - Windows IOUtil.getTempDir(..) Cannot determine executable temp directory
Summary: Windows IOUtil.getTempDir(..) Cannot determine executable temp directory
Status: RESOLVED FIXED
Alias: None
Product: Gluegen
Classification: JogAmp
Component: core (show other bugs)
Version: 2
Hardware: All windows
: --- major
Assignee: Sven Gothel
URL:
Depends on: 865 1108
Blocks: 1103 1109
  Show dependency treegraph
 
Reported: 2014-06-06 19:27 CEST by Sven Gothel
Modified: 2014-12-12 01:35 CET (History)
1 user (show)

See Also:
Type: ---
SCM Refs:
9bc3d3f78bb2fb1aa0ccfb02ffb5bdda74420cac
Workaround: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sven Gothel 2014-06-06 19:27:01 CEST 
On platform Window, we don't validate whether the temp dir 
for native libraries has executable-access.

On some systems, the TEMP dir only has write-access, 
but no executable-access.

IOUtil.getOSHasNoexecFS() for WINDOWS 
currently returns true, i.e. we don't check executable-access.
We need to return false to perform the check and offer a workaround,
maybe similar to Bug 865.

As is, non executable temp folder will result in an exception like:

+++

Exception in thread "AWT-EventQueue-0" java.lang.UnsatisfiedLinkError: C:\Users\ram dhuley\AppData\Local\Temp\jogamp_0000\file_cache\jln7241190548013054463\jln8954501619229889979\gluegen-rt.dll: Access is denied

+++
Comment 1 Sven Gothel 2014-08-28 07:01:52 CEST 
Test executable permission on Windows via bat file 
(temp dir, like on unix and osx).
    
    Tested on Window 7 and Windows 8.1 using 'Using Software Restriction Policies',
    i.e. disabled sw-execution in TEMP dir.
    
    On Windows we need to add min. shell code, here 'echo off',
    allowing the bat file to be executed if policy allows it.
    
    Reminder: We test the following temp folder
    
    1) java.io.tmpdir/jogamp
    2) $XDG_CACHE_HOME/jogamp
    3) $TMPDIR/jogamp or $TEMP/jogamp
    4) $HOME/.jogamp
    
    +++
    
    Misc:
    
    Proper 'duplicate' validation via 'file1.equals(file2)' test
    using the abstract pathname.
Comment 2 Sven Gothel 2014-09-16 21:53:48 CEST 
Software Restriction Policies
- http://technet.microsoft.com/en-us/library/hh831534.aspx

Software Restriction Policies Technical Overview
- http://technet.microsoft.com/en-us/library/hh994620.aspx

Administer Software Restriction Policies
- http://technet.microsoft.com/en-us/library/hh994606.aspx

On local machine (needs admin account, Win >= 8 professional ?!)
  - http://technet.microsoft.com/en-us/library/hh994606.aspx#BKMK_1

  - Open Control Panel
  - Search and Open: Administrative Tools
  - Open: Local Security Policy
  - Open: Software Restriction Policies

Now create an additional rule, like:
  - Path Rule for C:\Temp\no-exec
  - Security level: Disallowed
Comment 3 Sven Gothel 2014-12-12 01:35:30 CET 
From 'noexec-option-on-ntfs-under-windows' 
  <http://serverfault.com/questions/90135/noexec-option-on-ntfs-under-windows>

"There is no analog to a "noexec" mount for filesystems in Windows. Microsoft's conception of the simple "Read" permission includes the right to execute (since execution really is just the loader reading the image into memory).

You can modify the "Advanced" version of the permission to remove (or deny) "Traverse Folder / Execute File" permission. This will prevent double-click or command-line execution of .EXE files. .BAT and .CMD files will not execute from a double-click in Explorer, but they will still execute from a command prompt or using the syntax "CMD /c " from Start / Run."