Re: [FYI] {master} maint: assume 'test -x' is portable

[Eric Blake]

On 02/23/2012 05:13 PM, Eric Blake wrote:
> On 02/23/2012 04:50 PM, Paul Eggert wrote:
>> On 02/23/2012 03:05 PM, Stefano Lattarini wrote:
>>> address@hidden -r}.  Do not use @samp{test -e} either, because Solaris 10
>>
>> The word "either" should be removed.  Otherwise looks OK.
> 
> I just thought of another issue worth documenting:
> 
> On systems where access(,X_OK) gives bogus results when run as root, it
> is also possible for 'test -x' to give those same bogus results (that
> is, POSIX allows but discourages test -x as root to always succeed,
> where no one can actually execute the file).  Also, in the presence of
> ACLs, it is unspecified whether test matches the ACLs or just the stat
> mode bits (POSIX recommends matching the ACLs, but that in turn can be
> surprising when a file mode 0600 owned by someone else passes 'test -r'
> for the current user due to an ACL).

Here's what I'm pushing for the doc side; I'm still working on the shell
probe for a working 'test -x'.  I also note that AS_TEST_X is
undocumented, although I don't want to delete it just yet.

From a66fcb0003e6d942dcda5d48860df0cff7e861e3 Mon Sep 17 00:00:00 2001
From: Eric Blake <address@hidden>
Date: Fri, 24 Feb 2012 20:45:35 -0700
Subject: [PATCH] doc: mention more pitfalls of file mode tests

4.3BSD is museum-ware now, so we can assume that test -x exists;
however, we still can't assume that it always does what we want.

* doc/autoconf.texi (Limitations of Builtins) <test (files)>:
Treat 'test -x' as mostly portable, but mention problems with
root user, ACLs, and TOCTTOU races.

Signed-off-by: Eric Blake <address@hidden>
---
 doc/autoconf.texi |   22 +++++++++++++++++++---
 1 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/doc/autoconf.texi b/doc/autoconf.texi
index 607d8dc..762c455 100644
--- a/doc/autoconf.texi
+++ b/doc/autoconf.texi
@@ -18125,14 +18125,30 @@ Limitations of Builtins
 To enable @command{configure} scripts to support cross-compilation, they
 shouldn't do anything that tests features of the build system instead of
 the host system.  But occasionally you may find it necessary to check
-whether some arbitrary file exists.  To do so, use @samp{test -f} or
address@hidden -r}.  Do not use @samp{test -x}, because 4.3BSD does not
-have it.  Do not use @samp{test -e} either, because Solaris
@command{/bin/sh}
+whether some arbitrary file exists.  To do so, use @samp{test -f},
address@hidden -r}, or @samp{test -x}.  Do not use @samp{test -e}, because
+Solaris @command{/bin/sh}
 lacks it.  To test for symbolic links on systems that have them, use
 @samp{test -h} rather than @samp{test -L}; either form conforms to
 Posix 1003.1-2001, but older shells like Solaris 8
 @code{/bin/sh} support only @option{-h}.

+For historical reasons, Posix reluctantly allows implementations of
address@hidden -x} that will succeed for the root user, even if no execute
+permissions are present.  Furthermore, shells do not all agree on
+whether Access Control Lists should affect @samp{test -r}, @samp{test
+-w}, and @samp{test -x}; some shells base test results strictly on the
+current user id compared to file owner and mode, as if by
address@hidden(2)}; while other shells base test results on whether the
+current user has the given right, even if that right is only granted by
+an ACL, as if by @code{faccessat(2)}.  Furthermore, there is a classic
+time of check to time of use race between any use of @command{test}
+followed by operating on the just-checked file.  Therefore, it is a good
+idea to write scripts that actually attempt an operation, and are
+prepared for the resulting failure if permission is denied, rather than
+trying to avoid an operation based solely on whether @command{test}
+guessed that it might be permitted.
+
 @item @command{test} (strings)
 @c ---------------------------
 Posix says that @samp{test "@var{string}"} succeeds if @var{string} is
-- 
1.7.7.6



-- 
Eric Blake   address@hidden    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

signature.asc
Description: OpenPGP digital signature