From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Paul Eggert Newsgroups: gmane.emacs.bugs Subject: bug#12632: file permissions checking mishandled when setuid Date: Tue, 23 Oct 2012 12:27:21 -0700 Message-ID: <5086EF99.6060008@cs.ucla.edu> References: <5078CAB6.7020509@cs.ucla.edu> <83fw5h5yo6.fsf@gnu.org> <507B010F.20105@cs.ucla.edu> <831uh06gqd.fsf@gnu.org> <507B15B0.2040802@cs.ucla.edu> <83txtw4xmk.fsf@gnu.org> <507B2354.3030408@cs.ucla.edu> <83sj9g4vy7.fsf@gnu.org> <507BAA6C.2000601@cs.ucla.edu> <83lif74p78.fsf@gnu.org> <507C823D.40304@cs.ucla.edu> <83d30j3wqg.fsf@gnu.org> <507CF802.6000305@cs.ucla.edu> <83a9vm4bmv.fsf@gnu.org> <50818763.80501@cs.ucla.edu> <83wqymz4me.fsf@gnu.org> <5081A1DF.9000009@cs.ucla.edu> <5081ABD6.9060002@cs.ucla.edu> <23r4osd2f9.fsf@fencepost.gnu.org> <50836366.6080600@cs.ucla.edu> <5084E1B2.2020105@cs.ucla.edu> <83ipa2ctl2.fsf@gnu.org> <5085AD9E.7040701@cs.ucla.edu> <838vaycj65.fsf@gnu.org> <5085BB01.2030402@cs.ucla.edu> <836261df2p.fsf@gnu.org> <50862604.30208@cs.ucla.edu> <83vce1b0ja.fsf@gnu.org> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Trace: ger.gmane.org 1351020503 31504 80.91.229.3 (23 Oct 2012 19:28:23 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Tue, 23 Oct 2012 19:28:23 +0000 (UTC) Cc: 12632@debbugs.gnu.org To: Eli Zaretskii Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Tue Oct 23 21:28:30 2012 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1TQk9O-000440-Ho for geb-bug-gnu-emacs@m.gmane.org; Tue, 23 Oct 2012 21:28:30 +0200 Original-Received: from localhost ([::1]:56341 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1TQk9G-0002D3-M5 for geb-bug-gnu-emacs@m.gmane.org; Tue, 23 Oct 2012 15:28:22 -0400 Original-Received: from eggs.gnu.org ([208.118.235.92]:56148) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1TQk97-0002Cm-IH for bug-gnu-emacs@gnu.org; Tue, 23 Oct 2012 15:28:20 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1TQk92-0005z2-Do for bug-gnu-emacs@gnu.org; Tue, 23 Oct 2012 15:28:13 -0400 Original-Received: from debbugs.gnu.org ([140.186.70.43]:47919) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1TQk92-0005yy-AX for bug-gnu-emacs@gnu.org; Tue, 23 Oct 2012 15:28:08 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.72) (envelope-from ) id 1TQkAr-0000AW-Nz for bug-gnu-emacs@gnu.org; Tue, 23 Oct 2012 15:30:01 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Paul Eggert Original-Sender: debbugs-submit-bounces@debbugs.gnu.org Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Tue, 23 Oct 2012 19:30:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 12632 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: security patch Original-Received: via spool by 12632-submit@debbugs.gnu.org id=B12632.1351020571592 (code B ref 12632); Tue, 23 Oct 2012 19:30:01 +0000 Original-Received: (at 12632) by debbugs.gnu.org; 23 Oct 2012 19:29:31 +0000 Original-Received: from localhost ([127.0.0.1]:58170 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1TQkAM-00009V-Rv for submit@debbugs.gnu.org; Tue, 23 Oct 2012 15:29:31 -0400 Original-Received: from smtp.cs.ucla.edu ([131.179.128.62]:46661) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1TQkAJ-00009D-60 for 12632@debbugs.gnu.org; Tue, 23 Oct 2012 15:29:29 -0400 Original-Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp.cs.ucla.edu (Postfix) with ESMTP id DEC38A60007; Tue, 23 Oct 2012 12:27:27 -0700 (PDT) X-Virus-Scanned: amavisd-new at smtp.cs.ucla.edu Original-Received: from smtp.cs.ucla.edu ([127.0.0.1]) by localhost (smtp.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rdJrjhEzUDBu; Tue, 23 Oct 2012 12:27:27 -0700 (PDT) Original-Received: from penguin.cs.ucla.edu (Penguin.CS.UCLA.EDU [131.179.64.200]) by smtp.cs.ucla.edu (Postfix) with ESMTPSA id 0DD91A60003; Tue, 23 Oct 2012 12:27:27 -0700 (PDT) User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:16.0) Gecko/20121016 Thunderbird/16.0.1 In-Reply-To: <83vce1b0ja.fsf@gnu.org> X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.13 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 2) X-Received-From: 140.186.70.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.bugs:65944 Archived-At: On 10/23/2012 09:44 AM, Eli Zaretskii wrote: > Others, like "//.", are downright dangerous, because "\\.\" begins a > device name on Windows. With these arcana notoriously > under-documented by MS, it is anybody's guess what such names can do > in what APIs. OK, thanks for explaining: I did not know about that syntax, or about the behavior being undocumented and undefined. Also, come to think of it, there will be problems with drive prefixes. Rather than try to fix these problems, which are on a platform I'm not familiar with, I'll change the proposed code to do the following. This should be safe since it is what the trunk currently does now (modulo some refactoring) when on DOS or Windows platforms. And it can be tuned for DOS and Windows later, as needed. /* If FILE is a searchable directory or a symlink to a searchable directory, return true. Otherwise return false and set errno to an error number. */ bool file_accessible_directory_p (char const *file) { #ifdef DOS_NT /* File names may have drive prefixes and "/" is not the only separator, so the POSIXish approach doesn't work in general. Use a straightforward approach instead. */ return file_directory_p (file) && check_executable (file); #else /* On POSIXish platforms, use just one system call; this avoids a race and is typically faster. */ ptrdiff_t len = strlen (file); char const *dir; bool ok; int saved_errno; USE_SAFE_ALLOCA; /* Normally a file "FOO" is an accessible directory if "FOO/." exists. There are three exceptions: "", "/", and "//". Leave "" alone, as it's invalid. Append only "." to the other two exceptions as "/" and "//" are distinct on some platforms, whereas "/", "///", "////", etc. are all equivalent. */ if (! len) dir = file; else { /* Just check for trailing '/' when deciding whether to append '/'. That's simpler than testing the two special cases "/" and "//", and it's a safe optimization here. */ char *buf = SAFE_ALLOCA (len + 3); memcpy (buf, file, len); strcpy (buf + len, "/." + (file[len - 1] == '/')); dir = buf; } ok = check_existing (dir); saved_errno = errno; SAFE_FREE (); errno = saved_errno; return ok; #endif }