From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Paul Eggert Newsgroups: gmane.emacs.bugs Subject: bug#12632: file permissions checking mishandled when setuid Date: Mon, 15 Oct 2012 14:38:05 -0700 Message-ID: <507C823D.40304@cs.ucla.edu> References: <5078CAB6.7020509@cs.ucla.edu> <83fw5i7s4p.fsf@gnu.org> <83a9vq7oqh.fsf@gnu.org> <507A58CC.10209@cs.ucla.edu> <83fw5h5yo6.fsf@gnu.org> <507B010F.20105@cs.ucla.edu> <831uh06gqd.fsf@gnu.org> <507B15B0.2040802@cs.ucla.edu> <83txtw4xmk.fsf@gnu.org> <507B2354.3030408@cs.ucla.edu> <83sj9g4vy7.fsf@gnu.org> <507BAA6C.2000601@cs.ucla.edu> <83lif74p78.fsf@gnu.org> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Trace: ger.gmane.org 1350337138 28803 80.91.229.3 (15 Oct 2012 21:38:58 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Mon, 15 Oct 2012 21:38:58 +0000 (UTC) Cc: 12632@debbugs.gnu.org To: Eli Zaretskii Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Mon Oct 15 23:39:04 2012 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1TNsNM-0007gk-70 for geb-bug-gnu-emacs@m.gmane.org; Mon, 15 Oct 2012 23:39:04 +0200 Original-Received: from localhost ([::1]:38679 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1TNsNF-00081E-A6 for geb-bug-gnu-emacs@m.gmane.org; Mon, 15 Oct 2012 17:38:57 -0400 Original-Received: from eggs.gnu.org ([208.118.235.92]:53632) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1TNsNC-0007vl-JJ for bug-gnu-emacs@gnu.org; Mon, 15 Oct 2012 17:38:55 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1TNsNB-0004iR-HX for bug-gnu-emacs@gnu.org; Mon, 15 Oct 2012 17:38:54 -0400 Original-Received: from debbugs.gnu.org ([140.186.70.43]:35552) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1TNsNB-0004iL-EC for bug-gnu-emacs@gnu.org; Mon, 15 Oct 2012 17:38:53 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.72) (envelope-from ) id 1TNsOI-0003XZ-7V for bug-gnu-emacs@gnu.org; Mon, 15 Oct 2012 17:40:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Paul Eggert Original-Sender: debbugs-submit-bounces@debbugs.gnu.org Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Mon, 15 Oct 2012 21:40:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 12632 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: patch Original-Received: via spool by 12632-submit@debbugs.gnu.org id=B12632.135033716513563 (code B ref 12632); Mon, 15 Oct 2012 21:40:02 +0000 Original-Received: (at 12632) by debbugs.gnu.org; 15 Oct 2012 21:39:25 +0000 Original-Received: from localhost ([127.0.0.1]:45803 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1TNsNg-0003Wh-NB for submit@debbugs.gnu.org; Mon, 15 Oct 2012 17:39:25 -0400 Original-Received: from smtp.cs.ucla.edu ([131.179.128.62]:39595) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1TNsNe-0003WV-II for 12632@debbugs.gnu.org; Mon, 15 Oct 2012 17:39:24 -0400 Original-Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp.cs.ucla.edu (Postfix) with ESMTP id CB68EA6001C; Mon, 15 Oct 2012 14:38:07 -0700 (PDT) X-Virus-Scanned: amavisd-new at smtp.cs.ucla.edu Original-Received: from smtp.cs.ucla.edu ([127.0.0.1]) by localhost (smtp.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8XlfoInAnRs5; Mon, 15 Oct 2012 14:38:06 -0700 (PDT) Original-Received: from penguin.cs.ucla.edu (Penguin.CS.UCLA.EDU [131.179.64.200]) by smtp.cs.ucla.edu (Postfix) with ESMTPSA id A524539E810A; Mon, 15 Oct 2012 14:38:06 -0700 (PDT) User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:16.0) Gecko/20121009 Thunderbird/16.0 In-Reply-To: <83lif74p78.fsf@gnu.org> X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.13 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 2) X-Received-From: 140.186.70.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.bugs:65647 Archived-At: On 10/15/2012 10:31 AM, Eli Zaretskii wrote: > Well, actually I thought we should stay with 'stat'. We cannot stay with 'stat' everywhere, since 'stat' does not tell us whether a file is readable or writeable or executable. We must use faccessat (or something like it, e.g., euidaccess) when we're implementing functions like check_writable, check_executable, or basically any function that uses R_OK, W_OK, or X_OK. It's true that we could use 'stat' instead of faccessat(..., F_OK, ...), but the question then arises, why bother to make a special case for F_OK? > So 'stat' is still better, IMO, because it is very efficient Why should 'stat' be more efficient than faccessat? 'stat' has more work to do if successful, as it needs to gather and copy a 'struct stat' from kernel space to user space. faccessat doesn't need to do that. I did try timing the two, and found that on some hosts 'stat' is faster, and on others 'faccessat' is. Presumably 'stat' is faster on platforms where, as you say, people have worked harder to tune it. But the differences are not universal enough, or large enough, to say that 'stat' is very efficient and faccessat is not. > you need to change all the calls to sys_access inside > w32.c, or else Emacs won't link on Windows. Thanks, the following further patch should do that. === modified file 'src/ChangeLog' --- src/ChangeLog 2012-10-15 06:07:05 +0000 +++ src/ChangeLog 2012-10-15 21:35:25 +0000 @@ -23,7 +23,7 @@ stat, as that avoids a permissions race. When not opening a file, use file_directory_p rather than stat. * w32.c (sys_faccessat): Rename from sys_access and switch to - faccessat's API. + faccessat's API. All uses changed. 2012-10-15 Daniel Colascione === modified file 'src/w32.c' --- src/w32.c 2012-10-15 06:05:46 +0000 +++ src/w32.c 2012-10-15 21:35:25 +0000 @@ -1590,7 +1590,7 @@ see if it succeeds. But I think that's too much to ask. */ /* MSVCRT's _access crashes with D_OK. */ - if (tmp && sys_access (tmp, D_OK) == 0) + if (tmp && sys_faccessat (AT_FDCWD, tmp, D_OK, AT_EACCESS) == 0) { char * var = alloca (strlen (tmp) + 8); sprintf (var, "TMPDIR=%s", tmp); @@ -2959,7 +2959,7 @@ { int save_errno = errno; p[0] = first_char[i]; - if (sys_access (template, 0) < 0) + if (sys_faccessat (AT_FDCWD, template, F_OK, AT_EACCESS) < 0) { errno = save_errno; return template; @@ -4010,7 +4010,7 @@ { /* Non-absolute FILENAME is understood as being relative to LINKNAME's directory. We need to prepend that directory to - FILENAME to get correct results from sys_access below, since + FILENAME to get correct results from sys_faccessat below, since otherwise it will interpret FILENAME relative to the directory where the Emacs process runs. Note that make-symbolic-link always makes sure LINKNAME is a fully @@ -4024,10 +4024,10 @@ strncpy (tem, linkfn, p - linkfn); tem[p - linkfn] = '\0'; strcat (tem, filename); - dir_access = sys_access (tem, D_OK); + dir_access = sys_faccessat (AT_FDCWD, tem, D_OK, AT_EACCESS); } else - dir_access = sys_access (filename, D_OK); + dir_access = sys_faccessat (AT_FDCWD, filename, D_OK, AT_EACCESS); /* Since Windows distinguishes between symlinks to directories and to files, we provide a kludgy feature: if FILENAME doesn't