bug-gnu-emacs
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#12632: file permissions checking mishandled when setuid


From: Paul Eggert
Subject: bug#12632: file permissions checking mishandled when setuid
Date: Mon, 15 Oct 2012 14:38:05 -0700
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:16.0) Gecko/20121009 Thunderbird/16.0

On 10/15/2012 10:31 AM, Eli Zaretskii wrote:
> Well, actually I thought we should stay with 'stat'.

We cannot stay with 'stat' everywhere, since 'stat' does not tell us
whether a file is readable or writeable or executable.  We must use
faccessat (or something like it, e.g., euidaccess) when we're
implementing functions like check_writable, check_executable, or
basically any function that uses R_OK, W_OK, or X_OK.  It's true that
we could use 'stat' instead of faccessat(..., F_OK, ...), but the
question then arises, why bother to make a special case for F_OK?

> So 'stat' is still better, IMO, because it is very efficient

Why should 'stat' be more efficient than faccessat?  'stat' has more
work to do if successful, as it needs to gather and copy a 'struct
stat' from kernel space to user space.  faccessat doesn't need to do that.

I did try timing the two, and found that on some hosts 'stat' is
faster, and on others 'faccessat' is.  Presumably 'stat' is faster on
platforms where, as you say, people have worked harder to tune it.
But the differences are not universal enough, or large enough, to say
that 'stat' is very efficient and faccessat is not.

> you need to change all the calls to sys_access inside
> w32.c, or else Emacs won't link on Windows.

Thanks, the following further patch should do that.

=== modified file 'src/ChangeLog'
--- src/ChangeLog       2012-10-15 06:07:05 +0000
+++ src/ChangeLog       2012-10-15 21:35:25 +0000
@@ -23,7 +23,7 @@
        stat, as that avoids a permissions race.  When not opening a file,
        use file_directory_p rather than stat.
        * w32.c (sys_faccessat): Rename from sys_access and switch to
-       faccessat's API.
+       faccessat's API.  All uses changed.
 
 2012-10-15  Daniel Colascione  <dancol@dancol.org>
 

=== modified file 'src/w32.c'
--- src/w32.c   2012-10-15 06:05:46 +0000
+++ src/w32.c   2012-10-15 21:35:25 +0000
@@ -1590,7 +1590,7 @@
         see if it succeeds.  But I think that's too much to ask.  */
 
       /* MSVCRT's _access crashes with D_OK.  */
-      if (tmp && sys_access (tmp, D_OK) == 0)
+      if (tmp && sys_faccessat (AT_FDCWD, tmp, D_OK, AT_EACCESS) == 0)
        {
          char * var = alloca (strlen (tmp) + 8);
          sprintf (var, "TMPDIR=%s", tmp);
@@ -2959,7 +2959,7 @@
        {
          int save_errno = errno;
          p[0] = first_char[i];
-         if (sys_access (template, 0) < 0)
+         if (sys_faccessat (AT_FDCWD, template, F_OK, AT_EACCESS) < 0)
            {
              errno = save_errno;
              return template;
@@ -4010,7 +4010,7 @@
     {
       /* Non-absolute FILENAME is understood as being relative to
         LINKNAME's directory.  We need to prepend that directory to
-        FILENAME to get correct results from sys_access below, since
+        FILENAME to get correct results from sys_faccessat below, since
         otherwise it will interpret FILENAME relative to the
         directory where the Emacs process runs.  Note that
         make-symbolic-link always makes sure LINKNAME is a fully
@@ -4024,10 +4024,10 @@
        strncpy (tem, linkfn, p - linkfn);
       tem[p - linkfn] = '\0';
       strcat (tem, filename);
-      dir_access = sys_access (tem, D_OK);
+      dir_access = sys_faccessat (AT_FDCWD, tem, D_OK, AT_EACCESS);
     }
   else
-    dir_access = sys_access (filename, D_OK);
+    dir_access = sys_faccessat (AT_FDCWD, filename, D_OK, AT_EACCESS);
 
   /* Since Windows distinguishes between symlinks to directories and
      to files, we provide a kludgy feature: if FILENAME doesn't







reply via email to

[Prev in Thread] Current Thread [Next in Thread]