0

On an NTFS volume on Windows 10 Version 1803 build 17134.523 with Developer Mode enabled, I have a file myfile. I can make symbolic links to this file with mklink. However, if I call Files.createSymbolicLink on java jre 1.8.0_201, if throws:

java.nio.file.FileSystemException: linkname: A required privilege is not held by the client.

    at sun.nio.fs.WindowsException.translateToIOException(Unknown Source)
    at sun.nio.fs.WindowsException.rethrowAsIOException(Unknown Source)
    at sun.nio.fs.WindowsException.rethrowAsIOException(Unknown Source)
    at sun.nio.fs.WindowsFileSystemProvider.createSymbolicLink(Unknown Source)
    at java.nio.file.Files.createSymbolicLink(Unknown Source)
    at CreateLinks.main(CreateLinks.java:15)

The same works without problems on the Windows Subsystem for Linux (WSL) with jre 1.8.0_191-8u191-b12-0ubuntu0.18.10.1-b12

How can I make this work on windows without going into WSL? And where is this exception thrown exactly?

Martijn
  • 11,964
  • 12
  • 50
  • 96

2 Answers2

4

Creating symbolic links requires SeCreateSymbolicLinkPrivilege, unless the system is in developer mode and WinAPI CreateSymbolicLink is called with the flag SYMBOLIC_LINK_FLAG_ALLOW_UNPRIVILEGED_CREATE (*). CMD's mklink command uses this flag in Windows 10. Apparently Java JRE version 1.8.0_201 does not.

As to WSL, it inherits the security context from which it is run. If run from a logon that has SeCreateSymbolicLinkPrivilege, recent versions of WSL will create normal Windows symlinks on a drvfs (e.g. NTFS) volume. Otherwise WSL uses a custom symlink type, which is based on an IO_REPARSE_TAG_LX_SYMLINK (0xA000001D) reparse point instead of the normal IO_REPARSE_TAG_SYMLINK (0xA000000C) reparse point. You can query the type of reparse point via the command fsutil reparsepoint query <filename>.

(*) The docs say "[s]pecify this flag to allow creation of symbolic links when the process is not elevated". More precisely, this flag allows creating symlinks without SeCreateSymbolicLinkPrivilege, which is only related to being "elevated" with the default system settings. Personally, I grant this privilege to the "Authenticated Users" group, in which case creating symlinks doesn't require elevating to full admin access.

Eryk Sun
  • 33,190
  • 5
  • 92
  • 111
  • I submitted a feature request https://bugs.openjdk.java.net/browse/JDK-8218418 based on the information in this answer, and this is fixed with http://hg.openjdk.java.net/jdk/jdk/rev/66185e52b979 and will be released with Java 13 – Martijn Apr 04 '19 at 08:32
  • 1
    @Martijn, the unprivileged-create flag is an invalid parameter in previous versions of Windows. The straight forward way to address this is to check the OS build number. We can also use a global flag that's initially set to allow using the unprivileged-create flag. If the call fails as an invalid parameter, try again without the unprivileged-create flag. If the second call succeeds, or if it fails with an error other than invalid parameter, then assume the new flag is not supported and clear the global flag that enables it. – Eryk Sun Apr 04 '19 at 09:18
-1

it's not related to your Java, it's just related to your os. please see the following link: How to create Soft symbolic Link using java.nio.Files

Win10 with UAC turned off - I had to set Local Policies > Security Options > User Account Control: Run all administrators in Admin Approval Mode = Disabled - otherwise - same FileSystemException: A required privilege is not held by the client

Sajjad Rostami
  • 303
  • 2
  • 3
  • 12