bug#12632: file permissions checking mishandled when setuid

[Paul Eggert <eggert@cs.ucla.edu>]

On 10/15/2012 10:31 AM, Eli Zaretskii wrote:
> Well, actually I thought we should stay with 'stat'.

We cannot stay with 'stat' everywhere, since 'stat' does not tell us
whether a file is readable or writeable or executable.  We must use
faccessat (or something like it, e.g., euidaccess) when we're
implementing functions like check_writable, check_executable, or
basically any function that uses R_OK, W_OK, or X_OK.  It's true that
we could use 'stat' instead of faccessat(..., F_OK, ...), but the
question then arises, why bother to make a special case for F_OK?

> So 'stat' is still better, IMO, because it is very efficient

Why should 'stat' be more efficient than faccessat?  'stat' has more
work to do if successful, as it needs to gather and copy a 'struct
stat' from kernel space to user space.  faccessat doesn't need to do that.

I did try timing the two, and found that on some hosts 'stat' is
faster, and on others 'faccessat' is.  Presumably 'stat' is faster on
platforms where, as you say, people have worked harder to tune it.
But the differences are not universal enough, or large enough, to say
that 'stat' is very efficient and faccessat is not.

> you need to change all the calls to sys_access inside
> w32.c, or else Emacs won't link on Windows.

Thanks, the following further patch should do that.

=== modified file 'src/ChangeLog'
--- src/ChangeLog	2012-10-15 06:07:05 +0000
+++ src/ChangeLog	2012-10-15 21:35:25 +0000
@@ -23,7 +23,7 @@
 	stat, as that avoids a permissions race.  When not opening a file,
 	use file_directory_p rather than stat.
 	* w32.c (sys_faccessat): Rename from sys_access and switch to
-	faccessat's API.
+	faccessat's API.  All uses changed.
 
 2012-10-15  Daniel Colascione  <dancol@dancol.org>
 

=== modified file 'src/w32.c'
--- src/w32.c	2012-10-15 06:05:46 +0000
+++ src/w32.c	2012-10-15 21:35:25 +0000
@@ -1590,7 +1590,7 @@
 	 see if it succeeds.  But I think that's too much to ask.  */
 
       /* MSVCRT's _access crashes with D_OK.  */
-      if (tmp && sys_access (tmp, D_OK) == 0)
+      if (tmp && sys_faccessat (AT_FDCWD, tmp, D_OK, AT_EACCESS) == 0)
 	{
 	  char * var = alloca (strlen (tmp) + 8);
 	  sprintf (var, "TMPDIR=%s", tmp);
@@ -2959,7 +2959,7 @@
 	{
 	  int save_errno = errno;
 	  p[0] = first_char[i];
-	  if (sys_access (template, 0) < 0)
+	  if (sys_faccessat (AT_FDCWD, template, F_OK, AT_EACCESS) < 0)
 	    {
 	      errno = save_errno;
 	      return template;
@@ -4010,7 +4010,7 @@
     {
       /* Non-absolute FILENAME is understood as being relative to
 	 LINKNAME's directory.  We need to prepend that directory to
-	 FILENAME to get correct results from sys_access below, since
+	 FILENAME to get correct results from sys_faccessat below, since
 	 otherwise it will interpret FILENAME relative to the
 	 directory where the Emacs process runs.  Note that
 	 make-symbolic-link always makes sure LINKNAME is a fully
@@ -4024,10 +4024,10 @@
 	strncpy (tem, linkfn, p - linkfn);
       tem[p - linkfn] = '\0';
       strcat (tem, filename);
-      dir_access = sys_access (tem, D_OK);
+      dir_access = sys_faccessat (AT_FDCWD, tem, D_OK, AT_EACCESS);
     }
   else
-    dir_access = sys_access (filename, D_OK);
+    dir_access = sys_faccessat (AT_FDCWD, filename, D_OK, AT_EACCESS);
 
   /* Since Windows distinguishes between symlinks to directories and
      to files, we provide a kludgy feature: if FILENAME doesn't