Forcing Java to have read only permissions when running local code

Question

I've recently been promoted to an admin, meaning my active directory username was given much more permissions. As such, I now have permissions to read/write to our servers, which is something that's a little troubling.

Before, if I ran any local code that ran something like my_remote_file.delete(), then it would ignore that method. (Well, technically, it would return false.) However, since my active directory username is now given all permissions on our servers, Java has no problem running that local code, and it will actually affect our servers.

I don't want to make the assumption that I'll always be careful when running local code, and I wanted to know if you guys had any ideas to relegate my permissions only in the case where I run local code within Eclipse. In other words, I want read only permissions on all of our server directories when I run any local code within Eclipse.

One solution I thought of was to simply create another user, with read only permissions in active directory, but I think maintaining two accounts won't scale out well in the future.

Answer 1

This isn't going to exactly "ignore" methods like my_remote_file.delete(), but it'll let you change some of the permissions if you use a policy file. This will make it so you can't delete the file /local/file:

grant {
    permission java.io.FilePermission
    "/local/file", "read";
};

Then invoke it like:

java -Djava.security.manager=default -Djava.security.policy=polfile YourEntryPointClass

(you'd do something similar in Eclipse, probably under the VM arguments)

Or you can create a custom SecurityManager and implement checkDelete() and checkWrite() methods that throw SecurityExceptions. It'll probably give you a similar result as physically changing permissions on the local filesystem, without having to create an unprivileged user.