bug-gnu-emacs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#12632: file permissions checking mishandled when setuid

From: Paul Eggert
Subject: bug#12632: file permissions checking mishandled when setuid
Date: Sun, 14 Oct 2012 12:42:40 -0700
User-agent: Mozilla/5.0 (X11; Linux i686; rv:16.0) Gecko/20121011 Thunderbird/16.0.1 
On 10/14/2012 11:39 AM, Eli Zaretskii wrote:
> The 'access' man page simply says this:
> 
>    F_OK tests for the existence of the file.
> 
> It says nothing about granting any permissions (unlike when it
> describes R_OK, W_OK, and X_OK).

One always needs search permissions when resolving file names, no matter
what the context, and the 'access' man page doesn't bother to document
that.  Here's an example to illustrate.  Compile the following program
on a GNUish host and put it into a file 'a.out'.

        #define _GNU_SOURCE
        #include <stdio.h>
        #include <unistd.h>
        #include <sys/stat.h>

        static void
        try (char const *file)
        {
          struct stat st;
          printf ("%8d %12d %11d    %s\n",
                  access (file, F_OK),
                  euidaccess (file, F_OK),
                  stat (file, &st),
                  file);
        }

        int
        main (int argc, char **argv)
        {
          printf ("access(F_OK) euidaccess(F_OK) stat() filename\n");
          while (*++argv)
            try (*argv);
          return 0;
        }

Now, make a.out setuid and owned by someone else, and set up
an environment where you're trying to access files in directories
that you cannot search, but the other guy can.  For example:

        $ sudo chown games a.out
        $ sudo chmod u+s a.out
        $ mkdir -m 700 eggert games uucp
        $ touch eggert/foo games/foo uucp/foo
        $ sudo chown games games
        $ sudo chown uucp uucp
        $ sudo ls -ld a.out eggert eggert/foo games games/foo uucp uucp/foo
        -rwsr-sr-x. 1 games  root 7440 Oct 14 12:21 a.out
        drwx------. 2 eggert root 4096 Oct 14 12:15 eggert
        ----------. 1 root   root    0 Oct 14 12:15 eggert/foo
        drwx------. 2 games  root 4096 Oct 14 12:15 games
        ----------. 1 root   root    0 Oct 14 12:15 games/foo
        drwx------. 2 uucp   root 4096 Oct 14 12:22 uucp
        -rw-r--r--. 1 root   root    0 Oct 14 12:22 uucp/foo
        $ ls -ld a.out eggert eggert/foo games games/foo uucp uucp/foo
        ls: cannot access games/foo: Permission denied
        ls: cannot access uucp/foo: Permission denied
        -rwsr-sr-x. 1 games  root 7440 Oct 14 12:21 a.out
        drwx------. 2 eggert root 4096 Oct 14 12:15 eggert
        ----------. 1 root   root    0 Oct 14 12:15 eggert/foo
        drwx------. 2 games  root 4096 Oct 14 12:15 games
        drwx------. 2 uucp   root 4096 Oct 14 12:22 uucp
        $ ./a.out eggert eggert/foo games games/foo uucp uucp/foo
        access(F_OK) euidaccess(F_OK) stat() filename
               0            0           0    eggert
               0           -1          -1    eggert/foo
               0            0           0    games
              -1            0           0    games/foo
               0            0           0    uucp
              -1           -1          -1    uucp/foo

euidaccess always agrees with ls and with stat, whereas
access does not.  We want the semantics of ls and of stat
and of euidaccess, not the semantics of access.

> This part is wrong: the MSDOS build doesn't have sys_access

OK, thanks, I'll leave that part out.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]