From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Paul Eggert Newsgroups: gmane.emacs.bugs Subject: bug#12632: file permissions checking mishandled when setuid Date: Sun, 14 Oct 2012 12:42:40 -0700 Organization: UCLA Computer Science Department Message-ID: <507B15B0.2040802@cs.ucla.edu> References: <5078CAB6.7020509@cs.ucla.edu> <83fw5i7s4p.fsf@gnu.org> <83a9vq7oqh.fsf@gnu.org> <507A58CC.10209@cs.ucla.edu> <83fw5h5yo6.fsf@gnu.org> <507B010F.20105@cs.ucla.edu> <831uh06gqd.fsf@gnu.org> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Trace: ger.gmane.org 1350243786 19627 80.91.229.3 (14 Oct 2012 19:43:06 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Sun, 14 Oct 2012 19:43:06 +0000 (UTC) Cc: 12632@debbugs.gnu.org To: Eli Zaretskii Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Sun Oct 14 21:43:13 2012 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1TNU5g-0005Da-FX for geb-bug-gnu-emacs@m.gmane.org; Sun, 14 Oct 2012 21:43:12 +0200 Original-Received: from localhost ([::1]:54021 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1TNU5Z-0004hz-R0 for geb-bug-gnu-emacs@m.gmane.org; Sun, 14 Oct 2012 15:43:05 -0400 Original-Received: from eggs.gnu.org ([208.118.235.92]:50057) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1TNU5U-0004gx-KI for bug-gnu-emacs@gnu.org; Sun, 14 Oct 2012 15:43:04 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1TNU5T-00051q-Hs for bug-gnu-emacs@gnu.org; Sun, 14 Oct 2012 15:43:00 -0400 Original-Received: from debbugs.gnu.org ([140.186.70.43]:33891) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1TNU5T-00051m-EI for bug-gnu-emacs@gnu.org; Sun, 14 Oct 2012 15:42:59 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.72) (envelope-from ) id 1TNU6T-0005yG-Ty for bug-gnu-emacs@gnu.org; Sun, 14 Oct 2012 15:44:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Paul Eggert Original-Sender: debbugs-submit-bounces@debbugs.gnu.org Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sun, 14 Oct 2012 19:44:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 12632 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: patch Original-Received: via spool by 12632-submit@debbugs.gnu.org id=B12632.135024383522932 (code B ref 12632); Sun, 14 Oct 2012 19:44:01 +0000 Original-Received: (at 12632) by debbugs.gnu.org; 14 Oct 2012 19:43:55 +0000 Original-Received: from localhost ([127.0.0.1]:44142 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1TNU6N-0005xo-8u for submit@debbugs.gnu.org; Sun, 14 Oct 2012 15:43:55 -0400 Original-Received: from smtp.cs.ucla.edu ([131.179.128.62]:36848) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1TNU6L-0005xc-Ap for 12632@debbugs.gnu.org; Sun, 14 Oct 2012 15:43:54 -0400 Original-Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp.cs.ucla.edu (Postfix) with ESMTP id D6023A60002; Sun, 14 Oct 2012 12:42:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at smtp.cs.ucla.edu Original-Received: from smtp.cs.ucla.edu ([127.0.0.1]) by localhost (smtp.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VcpXX816KA-o; Sun, 14 Oct 2012 12:42:44 -0700 (PDT) Original-Received: from [192.168.1.3] (pool-108-23-119-2.lsanca.fios.verizon.net [108.23.119.2]) by smtp.cs.ucla.edu (Postfix) with ESMTPSA id 547BFA60001; Sun, 14 Oct 2012 12:42:44 -0700 (PDT) User-Agent: Mozilla/5.0 (X11; Linux i686; rv:16.0) Gecko/20121011 Thunderbird/16.0.1 In-Reply-To: <831uh06gqd.fsf@gnu.org> X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.13 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 2) X-Received-From: 140.186.70.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.bugs:65611 Archived-At: On 10/14/2012 11:39 AM, Eli Zaretskii wrote: > The 'access' man page simply says this: > > F_OK tests for the existence of the file. > > It says nothing about granting any permissions (unlike when it > describes R_OK, W_OK, and X_OK). One always needs search permissions when resolving file names, no matter what the context, and the 'access' man page doesn't bother to document that. Here's an example to illustrate. Compile the following program on a GNUish host and put it into a file 'a.out'. #define _GNU_SOURCE #include #include #include static void try (char const *file) { struct stat st; printf ("%8d %12d %11d %s\n", access (file, F_OK), euidaccess (file, F_OK), stat (file, &st), file); } int main (int argc, char **argv) { printf ("access(F_OK) euidaccess(F_OK) stat() filename\n"); while (*++argv) try (*argv); return 0; } Now, make a.out setuid and owned by someone else, and set up an environment where you're trying to access files in directories that you cannot search, but the other guy can. For example: $ sudo chown games a.out $ sudo chmod u+s a.out $ mkdir -m 700 eggert games uucp $ touch eggert/foo games/foo uucp/foo $ sudo chown games games $ sudo chown uucp uucp $ sudo ls -ld a.out eggert eggert/foo games games/foo uucp uucp/foo -rwsr-sr-x. 1 games root 7440 Oct 14 12:21 a.out drwx------. 2 eggert root 4096 Oct 14 12:15 eggert ----------. 1 root root 0 Oct 14 12:15 eggert/foo drwx------. 2 games root 4096 Oct 14 12:15 games ----------. 1 root root 0 Oct 14 12:15 games/foo drwx------. 2 uucp root 4096 Oct 14 12:22 uucp -rw-r--r--. 1 root root 0 Oct 14 12:22 uucp/foo $ ls -ld a.out eggert eggert/foo games games/foo uucp uucp/foo ls: cannot access games/foo: Permission denied ls: cannot access uucp/foo: Permission denied -rwsr-sr-x. 1 games root 7440 Oct 14 12:21 a.out drwx------. 2 eggert root 4096 Oct 14 12:15 eggert ----------. 1 root root 0 Oct 14 12:15 eggert/foo drwx------. 2 games root 4096 Oct 14 12:15 games drwx------. 2 uucp root 4096 Oct 14 12:22 uucp $ ./a.out eggert eggert/foo games games/foo uucp uucp/foo access(F_OK) euidaccess(F_OK) stat() filename 0 0 0 eggert 0 -1 -1 eggert/foo 0 0 0 games -1 0 0 games/foo 0 0 0 uucp -1 -1 -1 uucp/foo euidaccess always agrees with ls and with stat, whereas access does not. We want the semantics of ls and of stat and of euidaccess, not the semantics of access. > This part is wrong: the MSDOS build doesn't have sys_access OK, thanks, I'll leave that part out.