* bug#12632: file permissions checking mishandled when setuid @ 2012-10-13 1:58 Paul Eggert 2012-10-13 7:23 ` Eli Zaretskii 2012-11-13 2:19 ` bug#12632: updated version of the patch Paul Eggert 0 siblings, 2 replies; 47+ messages in thread From: Paul Eggert @ 2012-10-13 1:58 UTC (permalink / raw) To: 12632 Tags: patch In two places Emacs uses 'euidaccess' if available, falling back on 'access' otherwise; on GNUish platforms this properly checks file permissions on when Emacs is running setuid on platforms that have 'euidaccess'. Unfortunately, the 'access' fallback means setuid Emacs is mishandling file permissions on POSIXish platforms that lack 'euidaccess'. Also, in seven other places Emacs invokes 'access' directly, even though 'euidaccess' is what's wanted, which means setuid Emacs is mishandling these file permissions even on GNUish platforms. Here's a patch. This patch has a four FIXMEs indicating where the code could most likely be cleaned up on DOS_NT platforms. The patch should work fine as-is on DOS_NT, but it'd be nicer if the DOS_NT support could supply an euidaccess function to allow simplifying the mainline code. I'll CC: this bug report to Eli to give him a heads-up. === modified file 'ChangeLog' --- ChangeLog 2012-10-11 11:29:47 +0000 +++ ChangeLog 2012-10-13 01:49:41 +0000 @@ -1,3 +1,12 @@ +2012-10-13 Paul Eggert <eggert@cs.ucla.edu> + + Use euidaccess, not access, when checking file permissions. + * configure.ac (euidaccess): Remove check; gnulib does this for us now. + * lib/euidaccess.c, lib/getgroups.c, lib/group-member.c: + * lib/root-uid.h, lib/xalloc-oversized.h, m4/euidaccess.m4: + * m4/getgroups.m4, m4/group-member.m4: New files, from gnulib. + * lib/gnulib.mk, m4/gnulib-comp.m4: Regenerate. + 2012-10-11 Kenichi Handa <handa@gnu.org> * .bzrignore: Add several files under admin/charsets. === modified file 'admin/ChangeLog' --- admin/ChangeLog 2012-10-11 11:29:47 +0000 +++ admin/ChangeLog 2012-10-13 01:49:41 +0000 @@ -1,3 +1,9 @@ +2012-10-13 Paul Eggert <eggert@cs.ucla.edu> + + Use euidaccess, not access, when checking file permissions. + * merge-gnulib (GNULIB_MODULES): Add euidaccess. + (GNULIB_TOOL_FLAGS): Avoid malloc-posix. + 2012-10-11 Kenichi Handa <handa@gnu.org> * charsets/mapconv: Adjusted for the change of mapfiles/*.gz to === modified file 'admin/merge-gnulib' --- admin/merge-gnulib 2012-09-27 01:06:23 +0000 +++ admin/merge-gnulib 2012-10-12 23:28:31 +0000 @@ -28,7 +28,7 @@ GNULIB_MODULES=' alloca-opt c-ctype c-strcase careadlinkat crypto/md5 crypto/sha1 crypto/sha256 crypto/sha512 - dtoastr dtotimespec dup2 environ execinfo + dtoastr dtotimespec dup2 environ euidaccess execinfo filemode getloadavg getopt-gnu gettime gettimeofday ignore-value intprops largefile lstat manywarnings mktime pselect pthread_sigmask readlink @@ -40,7 +40,7 @@ GNULIB_TOOL_FLAGS=' --avoid=errno --avoid=fcntl --avoid=fcntl-h --avoid=fstat - --avoid=msvc-inval --avoid=msvc-nothrow + --avoid=malloc-posix --avoid=msvc-inval --avoid=msvc-nothrow --avoid=raise --avoid=select --avoid=sigprocmask --avoid=sys_types --avoid=threadlib --conditional-dependencies --import --no-changelog --no-vc-files === modified file 'configure.ac' --- configure.ac 2012-10-08 16:09:00 +0000 +++ configure.ac 2012-10-12 23:28:31 +0000 @@ -2872,7 +2872,7 @@ AC_CHECK_FUNCS(gethostname \ closedir getrusage get_current_dir_name \ lrand48 setsid \ -fpathconf select euidaccess getpagesize setlocale \ +fpathconf select getpagesize setlocale \ utimes getrlimit setrlimit setpgid getcwd shutdown getaddrinfo \ __fpending strsignal setitimer \ sendto recvfrom getsockname getpeername getifaddrs freeifaddrs \ === added file 'lib/euidaccess.c' --- lib/euidaccess.c 1970-01-01 00:00:00 +0000 +++ lib/euidaccess.c 2012-10-12 23:28:31 +0000 @@ -0,0 +1,221 @@ +/* euidaccess -- check if effective user id can access file + + Copyright (C) 1990-1991, 1995, 1998, 2000, 2003-2006, 2008-2012 Free + Software Foundation, Inc. + + This file is part of the GNU C Library. + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. */ + +/* Written by David MacKenzie and Torbjorn Granlund. + Adapted for GNU C library by Roland McGrath. */ + +#ifndef _LIBC +# include <config.h> +#endif + +#include <fcntl.h> +#include <sys/types.h> +#include <sys/stat.h> +#include <unistd.h> + +#include "root-uid.h" + +#if HAVE_LIBGEN_H +# include <libgen.h> +#endif + +#include <errno.h> +#ifndef __set_errno +# define __set_errno(val) errno = (val) +#endif + +#if defined EACCES && !defined EACCESS +# define EACCESS EACCES +#endif + +#ifndef F_OK +# define F_OK 0 +# define X_OK 1 +# define W_OK 2 +# define R_OK 4 +#endif + + +#ifdef _LIBC + +# define access __access +# define getuid __getuid +# define getgid __getgid +# define geteuid __geteuid +# define getegid __getegid +# define group_member __group_member +# define euidaccess __euidaccess +# undef stat +# define stat stat64 + +#endif + +/* Return 0 if the user has permission of type MODE on FILE; + otherwise, return -1 and set 'errno'. + Like access, except that it uses the effective user and group + id's instead of the real ones, and it does not always check for read-only + file system, text busy, etc. */ + +int +euidaccess (const char *file, int mode) +{ +#if HAVE_FACCESSAT /* glibc, AIX 7, Solaris 11, Cygwin 1.7 */ + return faccessat (AT_FDCWD, file, mode, AT_EACCESS); +#elif defined EFF_ONLY_OK /* IRIX, OSF/1, Interix */ + return access (file, mode | EFF_ONLY_OK); +#elif defined ACC_SELF /* AIX */ + return accessx (file, mode, ACC_SELF); +#elif HAVE_EACCESS /* FreeBSD */ + return eaccess (file, mode); +#else /* Mac OS X, NetBSD, OpenBSD, HP-UX, Solaris, Cygwin, mingw, BeOS */ + + uid_t uid = getuid (); + gid_t gid = getgid (); + uid_t euid = geteuid (); + gid_t egid = getegid (); + struct stat stats; + +# if HAVE_DECL_SETREGID && PREFER_NONREENTRANT_EUIDACCESS + + /* Define PREFER_NONREENTRANT_EUIDACCESS if you prefer euidaccess to + return the correct result even if this would make it + nonreentrant. Define this only if your entire application is + safe even if the uid or gid might temporarily change. If your + application uses signal handlers or threads it is probably not + safe. */ + + if (mode == F_OK) + return stat (file, &stats); + else + { + int result; + int saved_errno; + + if (uid != euid) + setreuid (euid, uid); + if (gid != egid) + setregid (egid, gid); + + result = access (file, mode); + saved_errno = errno; + + /* Restore them. */ + if (uid != euid) + setreuid (uid, euid); + if (gid != egid) + setregid (gid, egid); + + errno = saved_errno; + return result; + } + +# else + + /* The following code assumes the traditional Unix model, and is not + correct on systems that have ACLs or the like. However, it's + better than nothing, and it is reentrant. */ + + unsigned int granted; + if (uid == euid && gid == egid) + /* If we are not set-uid or set-gid, access does the same. */ + return access (file, mode); + + if (stat (file, &stats) != 0) + return -1; + + /* The super-user can read and write any file, and execute any file + that anyone can execute. */ + if (euid == ROOT_UID + && ((mode & X_OK) == 0 + || (stats.st_mode & (S_IXUSR | S_IXGRP | S_IXOTH)))) + return 0; + + /* Convert the mode to traditional form, clearing any bogus bits. */ + if (R_OK == 4 && W_OK == 2 && X_OK == 1 && F_OK == 0) + mode &= 7; + else + mode = ((mode & R_OK ? 4 : 0) + + (mode & W_OK ? 2 : 0) + + (mode & X_OK ? 1 : 0)); + + if (mode == 0) + return 0; /* The file exists. */ + + /* Convert the file's permission bits to traditional form. */ + if (S_IRUSR == (4 << 6) && S_IWUSR == (2 << 6) && S_IXUSR == (1 << 6) + && S_IRGRP == (4 << 3) && S_IWGRP == (2 << 3) && S_IXGRP == (1 << 3) + && S_IROTH == (4 << 0) && S_IWOTH == (2 << 0) && S_IXOTH == (1 << 0)) + granted = stats.st_mode; + else + granted = ((stats.st_mode & S_IRUSR ? 4 << 6 : 0) + + (stats.st_mode & S_IWUSR ? 2 << 6 : 0) + + (stats.st_mode & S_IXUSR ? 1 << 6 : 0) + + (stats.st_mode & S_IRGRP ? 4 << 3 : 0) + + (stats.st_mode & S_IWGRP ? 2 << 3 : 0) + + (stats.st_mode & S_IXGRP ? 1 << 3 : 0) + + (stats.st_mode & S_IROTH ? 4 << 0 : 0) + + (stats.st_mode & S_IWOTH ? 2 << 0 : 0) + + (stats.st_mode & S_IXOTH ? 1 << 0 : 0)); + + if (euid == stats.st_uid) + granted >>= 6; + else if (egid == stats.st_gid || group_member (stats.st_gid)) + granted >>= 3; + + if ((mode & ~granted) == 0) + return 0; + __set_errno (EACCESS); + return -1; + +# endif +#endif +} +#undef euidaccess +#ifdef weak_alias +weak_alias (__euidaccess, euidaccess) +#endif +\f +#ifdef TEST +# include <error.h> +# include <stdio.h> +# include <stdlib.h> + +char *program_name; + +int +main (int argc, char **argv) +{ + char *file; + int mode; + int err; + + program_name = argv[0]; + if (argc < 3) + abort (); + file = argv[1]; + mode = atoi (argv[2]); + + err = euidaccess (file, mode); + printf ("%d\n", err); + if (err != 0) + error (0, errno, "%s", file); + exit (0); +} +#endif === added file 'lib/getgroups.c' --- lib/getgroups.c 1970-01-01 00:00:00 +0000 +++ lib/getgroups.c 2012-10-12 23:28:31 +0000 @@ -0,0 +1,116 @@ +/* provide consistent interface to getgroups for systems that don't allow N==0 + + Copyright (C) 1996, 1999, 2003, 2006-2012 Free Software Foundation, Inc. + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. */ + +/* written by Jim Meyering */ + +#include <config.h> + +#include <unistd.h> + +#include <errno.h> +#include <stdlib.h> +#include <stdint.h> + +#if !HAVE_GETGROUPS + +/* Provide a stub that fails with ENOSYS, since there is no group + information available on mingw. */ +int +getgroups (int n _GL_UNUSED, GETGROUPS_T *groups _GL_UNUSED) +{ + errno = ENOSYS; + return -1; +} + +#else /* HAVE_GETGROUPS */ + +# undef getgroups +# ifndef GETGROUPS_ZERO_BUG +# define GETGROUPS_ZERO_BUG 0 +# endif + +/* On at least Ultrix 4.3 and NextStep 3.2, getgroups (0, NULL) always + fails. On other systems, it returns the number of supplemental + groups for the process. This function handles that special case + and lets the system-provided function handle all others. However, + it can fail with ENOMEM if memory is tight. It is unspecified + whether the effective group id is included in the list. */ + +int +rpl_getgroups (int n, gid_t *group) +{ + int n_groups; + GETGROUPS_T *gbuf; + int saved_errno; + + if (n < 0) + { + errno = EINVAL; + return -1; + } + + if (n != 0 || !GETGROUPS_ZERO_BUG) + { + int result; + if (sizeof *group == sizeof *gbuf) + return getgroups (n, (GETGROUPS_T *) group); + + if (SIZE_MAX / sizeof *gbuf <= n) + { + errno = ENOMEM; + return -1; + } + gbuf = malloc (n * sizeof *gbuf); + if (!gbuf) + return -1; + result = getgroups (n, gbuf); + if (0 <= result) + { + n = result; + while (n--) + group[n] = gbuf[n]; + } + saved_errno = errno; + free (gbuf); + errno == saved_errno; + return result; + } + + n = 20; + while (1) + { + /* No need to worry about address arithmetic overflow here, + since the ancient systems that we're running on have low + limits on the number of secondary groups. */ + gbuf = malloc (n * sizeof *gbuf); + if (!gbuf) + return -1; + n_groups = getgroups (n, gbuf); + if (n_groups == -1 ? errno != EINVAL : n_groups < n) + break; + free (gbuf); + n *= 2; + } + + saved_errno = errno; + free (gbuf); + errno = saved_errno; + + return n_groups; +} + +#endif /* HAVE_GETGROUPS */ === modified file 'lib/gnulib.mk' --- lib/gnulib.mk 2012-10-04 07:15:42 +0000 +++ lib/gnulib.mk 2012-10-12 23:28:31 +0000 @@ -21,7 +21,7 @@ # the same distribution terms as the rest of that program. # # Generated by gnulib-tool. -# Reproduce by: gnulib-tool --import --dir=. --lib=libgnu --source-base=lib --m4-base=m4 --doc-base=doc --tests-base=tests --aux-dir=build-aux --avoid=errno --avoid=fcntl --avoid=fcntl-h --avoid=fstat --avoid=msvc-inval --avoid=msvc-nothrow --avoid=raise --avoid=select --avoid=sigprocmask --avoid=sys_types --avoid=threadlib --makefile-name=gnulib.mk --conditional-dependencies --no-libtool --macro-prefix=gl --no-vc-files alloca-opt c-ctype c-strcase careadlinkat crypto/md5 crypto/sha1 crypto/sha256 crypto/sha512 dtoastr dtotimespec dup2 environ execinfo filemode getloadavg getopt-gnu gettime gettimeofday ignore-value intprops largefile lstat manywarnings mktime pselect pthread_sigmask readlink socklen stat-time stdalign stdarg stdbool stdio strftime strtoimax strtoumax symlink sys_stat sys _time time timer-time timespec-add timespec-sub utimens warnings +# Reproduce by: gnulib-tool --import --dir=. --lib=libgnu --source-base=lib --m4-base=m4 --doc-base=doc --tests-base=tests --aux-dir=build-aux --avoid=errno --avoid=fcntl --avoid=fcntl-h --avoid=fstat --avoid=malloc-posix --avoid=msvc-inval --avoid=msvc-nothrow --avoid=raise --avoid=select --avoid=sigprocmask --avoid=sys_types --avoid=threadlib --makefile-name=gnulib.mk --conditional-dependencies --no-libtool --macro-prefix=gl --no-vc-files alloca-opt c-ctype c-strcase careadlinkat crypto/md5 crypto/sha1 crypto/sha256 crypto/sha512 dtoastr dtotimespec dup2 environ euidaccess execinfo filemode getloadavg getopt-gnu gettime gettimeofday ignore-value intprops largefile lstat manywarnings mktime pselect pthread_sigmask readlink socklen stat-time stdalign stdarg stdbool stdio strftime strtoima x strtoumax symlink sys_stat sys_time time timer-time timespec-add timespec-sub utimens warnings MOSTLYCLEANFILES += core *.stackdump @@ -150,6 +150,15 @@ ## end gnulib module dup2 +## begin gnulib module euidaccess + + +EXTRA_DIST += euidaccess.c + +EXTRA_libgnu_a_SOURCES += euidaccess.c + +## end gnulib module euidaccess + ## begin gnulib module execinfo BUILT_SOURCES += $(EXECINFO_H) @@ -183,6 +192,17 @@ ## end gnulib module filemode +## begin gnulib module getgroups + +if gl_GNULIB_ENABLED_getgroups + +endif +EXTRA_DIST += getgroups.c + +EXTRA_libgnu_a_SOURCES += getgroups.c + +## end gnulib module getgroups + ## begin gnulib module getloadavg @@ -242,6 +262,17 @@ ## end gnulib module gettimeofday +## begin gnulib module group-member + +if gl_GNULIB_ENABLED_a9786850e999ae65a836a6041e8e5ed1 + +endif +EXTRA_DIST += group-member.c + +EXTRA_libgnu_a_SOURCES += group-member.c + +## end gnulib module group-member + ## begin gnulib module ignore-value @@ -354,6 +385,13 @@ ## end gnulib module readlink +## begin gnulib module root-uid + + +EXTRA_DIST += root-uid.h + +## end gnulib module root-uid + ## begin gnulib module signal-h BUILT_SOURCES += signal.h @@ -1312,6 +1350,15 @@ ## end gnulib module verify +## begin gnulib module xalloc-oversized + +if gl_GNULIB_ENABLED_682e609604ccaac6be382e4ee3a4eaec + +endif +EXTRA_DIST += xalloc-oversized.h + +## end gnulib module xalloc-oversized + mostlyclean-local: mostlyclean-generic @for dir in '' $(MOSTLYCLEANDIRS); do \ === added file 'lib/group-member.c' --- lib/group-member.c 1970-01-01 00:00:00 +0000 +++ lib/group-member.c 2012-10-12 23:28:31 +0000 @@ -0,0 +1,119 @@ +/* group-member.c -- determine whether group id is in calling user's group list + + Copyright (C) 1994, 1997-1998, 2003, 2005-2006, 2009-2012 Free Software + Foundation, Inc. + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. */ + +#include <config.h> + +/* Specification. */ +#include <unistd.h> + +#include <stdio.h> +#include <sys/types.h> +#include <stdlib.h> + +#include "xalloc-oversized.h" + +/* Most processes have no more than this many groups, and for these + processes we can avoid using malloc. */ +enum { GROUPBUF_SIZE = 100 }; + +struct group_info + { + gid_t *group; + gid_t groupbuf[GROUPBUF_SIZE]; + }; + +static void +free_group_info (struct group_info const *g) +{ + if (g->group != g->groupbuf) + free (g->group); +} + +static int +get_group_info (struct group_info *gi) +{ + int n_groups = getgroups (GROUPBUF_SIZE, gi->groupbuf); + gi->group = gi->groupbuf; + + if (n_groups < 0) + { + int n_group_slots = getgroups (0, NULL); + if (0 <= n_group_slots + && ! xalloc_oversized (n_group_slots, sizeof *gi->group)) + { + gi->group = malloc (n_group_slots * sizeof *gi->group); + if (gi->group) + n_groups = getgroups (n_group_slots, gi->group); + } + } + + /* In case of error, the user loses. */ + return n_groups; +} + +/* Return non-zero if GID is one that we have in our groups list. + Note that the groups list is not guaranteed to contain the current + or effective group ID, so they should generally be checked + separately. */ + +int +group_member (gid_t gid) +{ + int i; + int found; + struct group_info gi; + int n_groups = get_group_info (&gi); + + /* Search through the list looking for GID. */ + found = 0; + for (i = 0; i < n_groups; i++) + { + if (gid == gi.group[i]) + { + found = 1; + break; + } + } + + free_group_info (&gi); + + return found; +} + +#ifdef TEST + +char *program_name; + +int +main (int argc, char **argv) +{ + int i; + + program_name = argv[0]; + + for (i = 1; i < argc; i++) + { + gid_t gid; + + gid = atoi (argv[i]); + printf ("%d: %s\n", gid, group_member (gid) ? "yes" : "no"); + } + exit (0); +} + +#endif /* TEST */ === added file 'lib/root-uid.h' --- lib/root-uid.h 1970-01-01 00:00:00 +0000 +++ lib/root-uid.h 2012-10-12 23:28:31 +0000 @@ -0,0 +1,30 @@ +/* The user ID that always has appropriate privileges in the POSIX sense. + + Copyright 2012 Free Software Foundation, Inc. + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. + + Written by Paul Eggert. */ + +#ifndef ROOT_UID_H_ +#define ROOT_UID_H_ + +/* The user ID that always has appropriate privileges in the POSIX sense. */ +#ifdef __TANDEM +# define ROOT_UID 65535 +#else +# define ROOT_UID 0 +#endif + +#endif === added file 'lib/xalloc-oversized.h' --- lib/xalloc-oversized.h 1970-01-01 00:00:00 +0000 +++ lib/xalloc-oversized.h 2012-10-12 23:28:31 +0000 @@ -0,0 +1,38 @@ +/* xalloc-oversized.h -- memory allocation size checking + + Copyright (C) 1990-2000, 2003-2004, 2006-2012 Free Software Foundation, Inc. + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. */ + +#ifndef XALLOC_OVERSIZED_H_ +# define XALLOC_OVERSIZED_H_ + +# include <stddef.h> + +/* Return 1 if an array of N objects, each of size S, cannot exist due + to size arithmetic overflow. S must be positive and N must be + nonnegative. This is a macro, not a function, so that it + works correctly even when SIZE_MAX < N. + + By gnulib convention, SIZE_MAX represents overflow in size + calculations, so the conservative dividend to use here is + SIZE_MAX - 1, since SIZE_MAX might represent an overflowed value. + However, malloc (SIZE_MAX) fails on all known hosts where + sizeof (ptrdiff_t) <= sizeof (size_t), so do not bother to test for + exactly-SIZE_MAX allocations on such hosts; this avoids a test and + branch when S is known to be 1. */ +# define xalloc_oversized(n, s) \ + ((size_t) (sizeof (ptrdiff_t) <= sizeof (size_t) ? -1 : -2) / (s) < (n)) + +#endif /* !XALLOC_OVERSIZED_H_ */ === added file 'm4/euidaccess.m4' --- m4/euidaccess.m4 1970-01-01 00:00:00 +0000 +++ m4/euidaccess.m4 2012-10-12 23:28:31 +0000 @@ -0,0 +1,52 @@ +# euidaccess.m4 serial 14 +dnl Copyright (C) 2002-2012 Free Software Foundation, Inc. +dnl This file is free software; the Free Software Foundation +dnl gives unlimited permission to copy and/or distribute it, +dnl with or without modifications, as long as this notice is preserved. + +AC_DEFUN([gl_FUNC_NONREENTRANT_EUIDACCESS], +[ + AC_REQUIRE([gl_FUNC_EUIDACCESS]) + AC_DEFINE([PREFER_NONREENTRANT_EUIDACCESS], [1], + [Define this if you prefer euidaccess to return the correct result + even if this would make it nonreentrant. Define this only if your + entire application is safe even if the uid or gid might temporarily + change. If your application uses signal handlers or threads it + is probably not safe.]) +]) + +AC_DEFUN([gl_FUNC_EUIDACCESS], +[ + AC_REQUIRE([gl_UNISTD_H_DEFAULTS]) + + dnl Persuade glibc <unistd.h> to declare euidaccess(). + AC_REQUIRE([AC_USE_SYSTEM_EXTENSIONS]) + + AC_CHECK_FUNCS([euidaccess]) + if test $ac_cv_func_euidaccess = no; then + HAVE_EUIDACCESS=0 + fi +]) + +# Prerequisites of lib/euidaccess.c. +AC_DEFUN([gl_PREREQ_EUIDACCESS], [ + dnl Prefer POSIX faccessat over non-standard euidaccess. + AC_CHECK_FUNCS_ONCE([faccessat]) + dnl Try various other non-standard fallbacks. + AC_CHECK_HEADERS_ONCE([libgen.h]) + AC_CHECK_DECLS_ONCE([setregid]) + AC_REQUIRE([AC_FUNC_GETGROUPS]) + + # Solaris 9 and 10 need -lgen to get the eaccess function. + # Save and restore LIBS so -lgen isn't added to it. Otherwise, *all* + # programs in the package would end up linked with that potentially-shared + # library, inducing unnecessary run-time overhead. + LIB_EACCESS= + AC_SUBST([LIB_EACCESS]) + gl_saved_libs=$LIBS + AC_SEARCH_LIBS([eaccess], [gen], + [test "$ac_cv_search_eaccess" = "none required" || + LIB_EACCESS=$ac_cv_search_eaccess]) + AC_CHECK_FUNCS([eaccess]) + LIBS=$gl_saved_libs +]) === added file 'm4/getgroups.m4' --- m4/getgroups.m4 1970-01-01 00:00:00 +0000 +++ m4/getgroups.m4 2012-10-12 23:28:31 +0000 @@ -0,0 +1,107 @@ +# serial 18 + +dnl From Jim Meyering. +dnl A wrapper around AC_FUNC_GETGROUPS. + +# Copyright (C) 1996-1997, 1999-2004, 2008-2012 Free Software Foundation, Inc. +# +# This file is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +m4_version_prereq([2.70], [] ,[ + +# This is taken from the following Autoconf patch: +# http://git.savannah.gnu.org/gitweb/?p=autoconf.git;a=commitdiff;h=7fbb553727ed7e0e689a17594b58559ecf3ea6e9 +AC_DEFUN([AC_FUNC_GETGROUPS], +[ + AC_REQUIRE([AC_TYPE_GETGROUPS])dnl + AC_REQUIRE([AC_TYPE_SIZE_T])dnl + AC_REQUIRE([AC_CANONICAL_HOST])dnl for cross-compiles + AC_CHECK_FUNC([getgroups]) + + # If we don't yet have getgroups, see if it's in -lbsd. + # This is reported to be necessary on an ITOS 3000WS running SEIUX 3.1. + ac_save_LIBS=$LIBS + if test $ac_cv_func_getgroups = no; then + AC_CHECK_LIB(bsd, getgroups, [GETGROUPS_LIB=-lbsd]) + fi + + # Run the program to test the functionality of the system-supplied + # getgroups function only if there is such a function. + if test $ac_cv_func_getgroups = yes; then + AC_CACHE_CHECK([for working getgroups], [ac_cv_func_getgroups_works], + [AC_RUN_IFELSE( + [AC_LANG_PROGRAM( + [AC_INCLUDES_DEFAULT], + [[/* On Ultrix 4.3, getgroups (0, 0) always fails. */ + return getgroups (0, 0) == -1;]]) + ], + [ac_cv_func_getgroups_works=yes], + [ac_cv_func_getgroups_works=no], + [case "$host_os" in # (( + # Guess yes on glibc systems. + *-gnu*) ac_cv_func_getgroups_works="guessing yes" ;; + # If we don't know, assume the worst. + *) ac_cv_func_getgroups_works="guessing no" ;; + esac + ]) + ]) + else + ac_cv_func_getgroups_works=no + fi + case "$ac_cv_func_getgroups_works" in + *yes) + AC_DEFINE([HAVE_GETGROUPS], [1], + [Define to 1 if your system has a working `getgroups' function.]) + ;; + esac + LIBS=$ac_save_LIBS +])# AC_FUNC_GETGROUPS + +]) + +AC_DEFUN([gl_FUNC_GETGROUPS], +[ + AC_REQUIRE([AC_TYPE_GETGROUPS]) + AC_REQUIRE([gl_UNISTD_H_DEFAULTS]) + AC_REQUIRE([AC_CANONICAL_HOST]) dnl for cross-compiles + + AC_FUNC_GETGROUPS + if test $ac_cv_func_getgroups != yes; then + HAVE_GETGROUPS=0 + else + if test "$ac_cv_type_getgroups" != gid_t \ + || { case "$ac_cv_func_getgroups_works" in + *yes) false;; + *) true;; + esac + }; then + REPLACE_GETGROUPS=1 + AC_DEFINE([GETGROUPS_ZERO_BUG], [1], [Define this to 1 if + getgroups(0,NULL) does not return the number of groups.]) + else + dnl Detect FreeBSD bug; POSIX requires getgroups(-1,ptr) to fail. + AC_CACHE_CHECK([whether getgroups handles negative values], + [gl_cv_func_getgroups_works], + [AC_RUN_IFELSE([AC_LANG_PROGRAM([AC_INCLUDES_DEFAULT], + [[int size = getgroups (0, 0); + gid_t *list = malloc (size * sizeof *list); + return getgroups (-1, list) != -1;]])], + [gl_cv_func_getgroups_works=yes], + [gl_cv_func_getgroups_works=no], + [case "$host_os" in + # Guess yes on glibc systems. + *-gnu*) gl_cv_func_getgroups_works="guessing yes" ;; + # If we don't know, assume the worst. + *) gl_cv_func_getgroups_works="guessing no" ;; + esac + ])]) + case "$gl_cv_func_getgroups_works" in + *yes) ;; + *) REPLACE_GETGROUPS=1 ;; + esac + fi + fi + test -n "$GETGROUPS_LIB" && LIBS="$GETGROUPS_LIB $LIBS" +]) === modified file 'm4/gnulib-comp.m4' --- m4/gnulib-comp.m4 2012-09-27 01:06:23 +0000 +++ m4/gnulib-comp.m4 2012-10-12 23:28:31 +0000 @@ -53,17 +53,20 @@ # Code from module dtotimespec: # Code from module dup2: # Code from module environ: + # Code from module euidaccess: # Code from module execinfo: # Code from module extensions: AC_REQUIRE([gl_USE_SYSTEM_EXTENSIONS]) # Code from module extern-inline: # Code from module filemode: + # Code from module getgroups: # Code from module getloadavg: # Code from module getopt-gnu: # Code from module getopt-posix: # Code from module gettext-h: # Code from module gettime: # Code from module gettimeofday: + # Code from module group-member: # Code from module ignore-value: # Code from module include_next: # Code from module intprops: @@ -79,6 +82,7 @@ # Code from module pselect: # Code from module pthread_sigmask: # Code from module readlink: + # Code from module root-uid: # Code from module signal-h: # Code from module snippet/_Noreturn: # Code from module snippet/arg-nonnull: @@ -120,6 +124,7 @@ # Code from module utimens: # Code from module verify: # Code from module warnings: + # Code from module xalloc-oversized: ]) # This macro should be invoked from ./configure.ac, in the section @@ -154,6 +159,12 @@ gl_UNISTD_MODULE_INDICATOR([dup2]) gl_ENVIRON gl_UNISTD_MODULE_INDICATOR([environ]) + gl_FUNC_EUIDACCESS + if test $HAVE_EUIDACCESS = 0; then + AC_LIBOBJ([euidaccess]) + gl_PREREQ_EUIDACCESS + fi + gl_UNISTD_MODULE_INDICATOR([euidaccess]) gl_EXECINFO_H AC_REQUIRE([gl_EXTERN_INLINE]) gl_FILEMODE @@ -269,18 +280,32 @@ gl_UNISTD_H gl_UTIMENS gl_gnulib_enabled_dosname=false + gl_gnulib_enabled_getgroups=false gl_gnulib_enabled_be453cec5eecf5731a274f2de7f2db36=false + gl_gnulib_enabled_a9786850e999ae65a836a6041e8e5ed1=false gl_gnulib_enabled_pathmax=false gl_gnulib_enabled_stat=false gl_gnulib_enabled_strtoll=false gl_gnulib_enabled_strtoull=false gl_gnulib_enabled_verify=false + gl_gnulib_enabled_682e609604ccaac6be382e4ee3a4eaec=false func_gl_gnulib_m4code_dosname () { if ! $gl_gnulib_enabled_dosname; then gl_gnulib_enabled_dosname=true fi } + func_gl_gnulib_m4code_getgroups () + { + if ! $gl_gnulib_enabled_getgroups; then + gl_FUNC_GETGROUPS + if test $HAVE_GETGROUPS = 0 || test $REPLACE_GETGROUPS = 1; then + AC_LIBOBJ([getgroups]) + fi + gl_UNISTD_MODULE_INDICATOR([getgroups]) + gl_gnulib_enabled_getgroups=true + fi + } func_gl_gnulib_m4code_be453cec5eecf5731a274f2de7f2db36 () { if ! $gl_gnulib_enabled_be453cec5eecf5731a274f2de7f2db36; then @@ -289,6 +314,24 @@ gl_gnulib_enabled_be453cec5eecf5731a274f2de7f2db36=true fi } + func_gl_gnulib_m4code_a9786850e999ae65a836a6041e8e5ed1 () + { + if ! $gl_gnulib_enabled_a9786850e999ae65a836a6041e8e5ed1; then + gl_FUNC_GROUP_MEMBER + if test $HAVE_GROUP_MEMBER = 0; then + AC_LIBOBJ([group-member]) + gl_PREREQ_GROUP_MEMBER + fi + gl_UNISTD_MODULE_INDICATOR([group-member]) + gl_gnulib_enabled_a9786850e999ae65a836a6041e8e5ed1=true + if test $HAVE_GROUP_MEMBER = 0; then + func_gl_gnulib_m4code_getgroups + fi + if test $HAVE_GROUP_MEMBER = 0; then + func_gl_gnulib_m4code_682e609604ccaac6be382e4ee3a4eaec + fi + fi + } func_gl_gnulib_m4code_pathmax () { if ! $gl_gnulib_enabled_pathmax; then @@ -347,6 +390,18 @@ gl_gnulib_enabled_verify=true fi } + func_gl_gnulib_m4code_682e609604ccaac6be382e4ee3a4eaec () + { + if ! $gl_gnulib_enabled_682e609604ccaac6be382e4ee3a4eaec; then + gl_gnulib_enabled_682e609604ccaac6be382e4ee3a4eaec=true + fi + } + if test $HAVE_EUIDACCESS = 0; then + func_gl_gnulib_m4code_a9786850e999ae65a836a6041e8e5ed1 + fi + if test $HAVE_EUIDACCESS = 0; then + func_gl_gnulib_m4code_stat + fi if test $REPLACE_GETOPT = 1; then func_gl_gnulib_m4code_be453cec5eecf5731a274f2de7f2db36 fi @@ -373,12 +428,15 @@ fi m4_pattern_allow([^gl_GNULIB_ENABLED_]) AM_CONDITIONAL([gl_GNULIB_ENABLED_dosname], [$gl_gnulib_enabled_dosname]) + AM_CONDITIONAL([gl_GNULIB_ENABLED_getgroups], [$gl_gnulib_enabled_getgroups]) AM_CONDITIONAL([gl_GNULIB_ENABLED_be453cec5eecf5731a274f2de7f2db36], [$gl_gnulib_enabled_be453cec5eecf5731a274f2de7f2db36]) + AM_CONDITIONAL([gl_GNULIB_ENABLED_a9786850e999ae65a836a6041e8e5ed1], [$gl_gnulib_enabled_a9786850e999ae65a836a6041e8e5ed1]) AM_CONDITIONAL([gl_GNULIB_ENABLED_pathmax], [$gl_gnulib_enabled_pathmax]) AM_CONDITIONAL([gl_GNULIB_ENABLED_stat], [$gl_gnulib_enabled_stat]) AM_CONDITIONAL([gl_GNULIB_ENABLED_strtoll], [$gl_gnulib_enabled_strtoll]) AM_CONDITIONAL([gl_GNULIB_ENABLED_strtoull], [$gl_gnulib_enabled_strtoull]) AM_CONDITIONAL([gl_GNULIB_ENABLED_verify], [$gl_gnulib_enabled_verify]) + AM_CONDITIONAL([gl_GNULIB_ENABLED_682e609604ccaac6be382e4ee3a4eaec], [$gl_gnulib_enabled_682e609604ccaac6be382e4ee3a4eaec]) # End of code from modules m4_ifval(gl_LIBSOURCES_LIST, [ m4_syscmd([test ! -d ]m4_defn([gl_LIBSOURCES_DIR])[ || @@ -538,12 +596,14 @@ lib/dtoastr.c lib/dtotimespec.c lib/dup2.c + lib/euidaccess.c lib/execinfo.c lib/execinfo.in.h lib/filemode.c lib/filemode.h lib/ftoastr.c lib/ftoastr.h + lib/getgroups.c lib/getloadavg.c lib/getopt.c lib/getopt.in.h @@ -552,6 +612,7 @@ lib/gettext.h lib/gettime.c lib/gettimeofday.c + lib/group-member.c lib/ignore-value.h lib/intprops.h lib/inttypes.in.h @@ -564,6 +625,7 @@ lib/pselect.c lib/pthread_sigmask.c lib/readlink.c + lib/root-uid.h lib/sha1.c lib/sha1.h lib/sha256.c @@ -605,21 +667,25 @@ lib/utimens.c lib/utimens.h lib/verify.h + lib/xalloc-oversized.h m4/00gnulib.m4 m4/alloca.m4 m4/c-strtod.m4 m4/clock_time.m4 m4/dup2.m4 m4/environ.m4 + m4/euidaccess.m4 m4/execinfo.m4 m4/extensions.m4 m4/extern-inline.m4 m4/filemode.m4 + m4/getgroups.m4 m4/getloadavg.m4 m4/getopt.m4 m4/gettime.m4 m4/gettimeofday.m4 m4/gnulib-common.m4 + m4/group-member.m4 m4/include_next.m4 m4/inttypes.m4 m4/largefile.m4 === added file 'm4/group-member.m4' --- m4/group-member.m4 1970-01-01 00:00:00 +0000 +++ m4/group-member.m4 2012-10-12 23:28:31 +0000 @@ -0,0 +1,29 @@ +# serial 14 + +# Copyright (C) 1999-2001, 2003-2007, 2009-2012 Free Software Foundation, Inc. + +# This file is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +dnl Written by Jim Meyering + +AC_DEFUN([gl_FUNC_GROUP_MEMBER], +[ + AC_REQUIRE([gl_UNISTD_H_DEFAULTS]) + + dnl Persuade glibc <unistd.h> to declare group_member(). + AC_REQUIRE([AC_USE_SYSTEM_EXTENSIONS]) + + dnl Do this replacement check manually because I want the hyphen + dnl (not the underscore) in the filename. + AC_CHECK_FUNC([group_member], , [ + HAVE_GROUP_MEMBER=0 + ]) +]) + +# Prerequisites of lib/group-member.c. +AC_DEFUN([gl_PREREQ_GROUP_MEMBER], +[ + AC_REQUIRE([AC_FUNC_GETGROUPS]) +]) === modified file 'src/ChangeLog' --- src/ChangeLog 2012-10-13 00:52:01 +0000 +++ src/ChangeLog 2012-10-13 01:49:41 +0000 @@ -1,5 +1,22 @@ 2012-10-13 Paul Eggert <eggert@cs.ucla.edu> + Use euidaccess, not access, when checking file permissions. + * Makefile.in (LIB_EACCESS): New macro. + (LIBES): Use it. + * callproc.c (init_callproc): + * charset.c (init_charset): + * fileio.c (check_existing) [!DOS_NT]: + (check_executable) [!DOS_NT && !HAVE_EUIDACCESS]: + * lread.c (openp, load_path_check): + * process.c (allocate_pty): + * xrdb.c (file_p): + Use euidaccess, not access. Use symbolic names instead of integers + for the flags, as they're portable now. + * fileio.c (Ffile_readable_p) [!DOS_NT && !macintosh]: + Use euidaccess, not stat + open + close. + (Ffile_writable_p): Remove NILP check before calling euidaccess, + as nil isn't possible here. + Fix some stat-related races. * fileio.c (Fwrite_region): Avoid race condition if a file is removed or renamed by some other process immediately after Emacs === modified file 'src/Makefile.in' --- src/Makefile.in 2012-10-08 12:53:18 +0000 +++ src/Makefile.in 2012-10-13 01:49:41 +0000 @@ -150,6 +150,7 @@ M17N_FLT_LIBS = @M17N_FLT_LIBS@ LIB_CLOCK_GETTIME=@LIB_CLOCK_GETTIME@ +LIB_EACCESS=@LIB_EACCESS@ LIB_TIMER_TIME=@LIB_TIMER_TIME@ DBUS_CFLAGS = @DBUS_CFLAGS@ @@ -392,7 +393,7 @@ LIBES = $(LIBS) $(W32_LIBS) $(LIBX_BASE) $(LIBIMAGE) \ $(LIBX_OTHER) $(LIBSOUND) \ $(RSVG_LIBS) $(IMAGEMAGICK_LIBS) $(LIB_CLOCK_GETTIME) \ - $(LIB_TIMER_TIME) $(DBUS_LIBS) \ + $(LIB_EACCESS) $(LIB_TIMER_TIME) $(DBUS_LIBS) \ $(LIB_EXECINFO) \ $(LIBXML2_LIBS) $(LIBGPM) $(LIBRESOLV) $(LIBS_SYSTEM) \ $(LIBS_TERMCAP) $(GETLOADAVG_LIBS) $(SETTINGS_LIBS) $(LIBSELINUX_LIBS) \ === modified file 'src/callproc.c' --- src/callproc.c 2012-09-23 22:25:22 +0000 +++ src/callproc.c 2012-10-12 23:28:31 +0000 @@ -1597,13 +1597,13 @@ #endif { tempdir = Fdirectory_file_name (Vexec_directory); - if (access (SSDATA (tempdir), 0) < 0) + if (euidaccess (SSDATA (tempdir), F_OK) < 0) dir_warning ("Warning: arch-dependent data dir (%s) does not exist.\n", Vexec_directory); } tempdir = Fdirectory_file_name (Vdata_directory); - if (access (SSDATA (tempdir), 0) < 0) + if (euidaccess (SSDATA (tempdir), F_OK) < 0) dir_warning ("Warning: arch-independent data dir (%s) does not exist.\n", Vdata_directory); === modified file 'src/charset.c' --- src/charset.c 2012-10-01 06:36:54 +0000 +++ src/charset.c 2012-10-12 23:28:31 +0000 @@ -2293,7 +2293,7 @@ { Lisp_Object tempdir; tempdir = Fexpand_file_name (build_string ("charsets"), Vdata_directory); - if (access (SSDATA (tempdir), 0) < 0) + if (euidaccess (SSDATA (tempdir), F_OK) != 0) { /* This used to be non-fatal (dir_warning), but it should not happen, and if it does sooner or later it will cause some === modified file 'src/fileio.c' --- src/fileio.c 2012-10-13 00:52:01 +0000 +++ src/fileio.c 2012-10-13 00:55:20 +0000 @@ -2428,13 +2428,11 @@ check_existing (const char *filename) { #ifdef DOS_NT - /* The full emulation of Posix 'stat' is too expensive on - DOS/Windows, when all we want to know is whether the file exists. - So we use 'access' instead, which is much more lightweight. */ + /* FIXME: an euidaccess implementation should be added to the + DOS/Windows ports and this #ifdef branch should be removed. */ return (access (filename, F_OK) >= 0); #else - struct stat st; - return (stat (filename, &st) >= 0); + return euidaccess (filename, F_OK) == 0; #endif } @@ -2444,19 +2442,14 @@ check_executable (char *filename) { #ifdef DOS_NT + /* FIXME: an euidaccess implementation should be added to the + DOS/Windows ports and this #ifdef branch should be removed. */ struct stat st; if (stat (filename, &st) < 0) return 0; return ((st.st_mode & S_IEXEC) != 0); #else /* not DOS_NT */ -#ifdef HAVE_EUIDACCESS - return (euidaccess (filename, 1) >= 0); -#else - /* Access isn't quite right because it uses the real uid - and we really want to test with the effective uid. - But Unix doesn't give us a right way to do it. */ - return (access (filename, 1) >= 0); -#endif + return euidaccess (filename, X_OK) == 0; #endif /* not DOS_NT */ } @@ -2466,13 +2459,14 @@ check_writable (const char *filename) { #ifdef MSDOS + /* FIXME: an euidaccess implementation should be added to the + DOS/Windows ports and this #ifdef branch should be removed. */ struct stat st; if (stat (filename, &st) < 0) return 0; return (st.st_mode & S_IWRITE || S_ISDIR (st.st_mode)); #else /* not MSDOS */ -#ifdef HAVE_EUIDACCESS - bool res = (euidaccess (filename, 2) >= 0); + bool res = euidaccess (filename, W_OK) == 0; #ifdef CYGWIN /* euidaccess may have returned failure because Cygwin couldn't determine the file's UID or GID; if so, we return success. */ @@ -2485,14 +2479,6 @@ } #endif /* CYGWIN */ return res; -#else /* not HAVE_EUIDACCESS */ - /* Access isn't quite right because it uses the real uid - and we really want to test with the effective uid. - But Unix doesn't give us a right way to do it. - Opening with O_WRONLY could work for an ordinary file, - but would lose for directories. */ - return (access (filename, 2) >= 0); -#endif /* not HAVE_EUIDACCESS */ #endif /* not MSDOS */ } @@ -2549,9 +2535,6 @@ { Lisp_Object absname; Lisp_Object handler; - int desc; - int flags; - struct stat statbuf; CHECK_STRING (filename); absname = Fexpand_file_name (filename, Qnil); @@ -2565,28 +2548,13 @@ absname = ENCODE_FILE (absname); #if defined (DOS_NT) || defined (macintosh) - /* Under MS-DOS, Windows, and Macintosh, open does not work for - directories. */ + /* FIXME: an euidaccess implementation should be added to the + DOS/Windows ports and this #ifdef branch should be removed. */ if (access (SDATA (absname), 0) == 0) return Qt; return Qnil; #else /* not DOS_NT and not macintosh */ - flags = O_RDONLY; -#ifdef O_NONBLOCK - /* Opening a fifo without O_NONBLOCK can wait. - We don't want to wait. But we don't want to mess wth O_NONBLOCK - except in the case of a fifo, on a system which handles it. */ - desc = stat (SSDATA (absname), &statbuf); - if (desc < 0) - return Qnil; - if (S_ISFIFO (statbuf.st_mode)) - flags |= O_NONBLOCK; -#endif - desc = emacs_open (SSDATA (absname), flags, 0); - if (desc < 0) - return Qnil; - emacs_close (desc); - return Qt; + return euidaccess (SSDATA (absname), R_OK) == 0 ? Qt : Qnil; #endif /* not DOS_NT and not macintosh */ } @@ -2626,8 +2594,7 @@ should check ACLs though, which do affect this. */ return (access (SDATA (dir), D_OK) < 0) ? Qnil : Qt; #else - return (check_writable (!NILP (dir) ? SSDATA (dir) : "") - ? Qt : Qnil); + return check_writable (SSDATA (dir)) ? Qt : Qnil; #endif } \f === modified file 'src/lread.c' --- src/lread.c 2012-10-12 15:19:54 +0000 +++ src/lread.c 2012-10-12 23:28:31 +0000 @@ -1404,7 +1404,7 @@ If SUFFIXES is non-nil, it should be a list of suffixes to append to file name when searching. If non-nil, PREDICATE is used instead of `file-readable-p'. -PREDICATE can also be an integer to pass to the access(2) function, +PREDICATE can also be an integer to pass to the euidaccess(2) function, in which case file-name-handlers are ignored. This function will normally skip directories, so if you want it to find directories, make sure the PREDICATE function returns `dir-ok' for them. */) @@ -1558,8 +1558,8 @@ { /* Check that we can access or open it. */ if (NATNUMP (predicate)) - fd = (((XFASTINT (predicate) & ~INT_MAX) == 0 - && access (pfn, XFASTINT (predicate)) == 0) + fd = ((XFASTINT (predicate) <= INT_MAX + && euidaccess (pfn, XFASTINT (predicate)) == 0) ? 1 : -1); else fd = emacs_open (pfn, O_RDONLY, 0); @@ -4088,7 +4088,7 @@ if (STRINGP (dirfile)) { dirfile = Fdirectory_file_name (dirfile); - if (access (SSDATA (dirfile), 0) < 0) + if (euidaccess (SSDATA (dirfile), F_OK) != 0) dir_warning ("Warning: Lisp directory `%s' does not exist.\n", XCAR (path_tail)); } === modified file 'src/process.c' --- src/process.c 2012-10-13 00:52:01 +0000 +++ src/process.c 2012-10-13 00:55:20 +0000 @@ -663,7 +663,7 @@ #else sprintf (pty_name, "/dev/tty%c%x", c, i); #endif /* no PTY_TTY_NAME_SPRINTF */ - if (access (pty_name, 6) != 0) + if (euidaccess (pty_name, R_OK | W_OK) != 0) { emacs_close (fd); # ifndef __sgi === modified file 'src/xrdb.c' --- src/xrdb.c 2012-09-15 07:06:56 +0000 +++ src/xrdb.c 2012-10-12 23:28:31 +0000 @@ -268,7 +268,7 @@ { struct stat status; - return (access (filename, 4) == 0 /* exists and is readable */ + return (euidaccess (filename, R_OK) == 0 /* exists and is readable */ && stat (filename, &status) == 0 /* get the status */ && (S_ISDIR (status.st_mode)) == 0); /* not a directory */ } ^ permalink raw reply [flat|nested] 47+ messages in thread
* bug#12632: file permissions checking mishandled when setuid 2012-10-13 1:58 bug#12632: file permissions checking mishandled when setuid Paul Eggert @ 2012-10-13 7:23 ` Eli Zaretskii 2012-10-13 8:36 ` Eli Zaretskii 2012-11-13 2:19 ` bug#12632: updated version of the patch Paul Eggert 1 sibling, 1 reply; 47+ messages in thread From: Eli Zaretskii @ 2012-10-13 7:23 UTC (permalink / raw) To: Paul Eggert; +Cc: 12632 > Date: Fri, 12 Oct 2012 18:58:14 -0700 > From: Paul Eggert <eggert@cs.ucla.edu> > CC: Eli Zaretskii <eliz@gnu.org> > > This patch has a four FIXMEs indicating where the code could > most likely be cleaned up on DOS_NT platforms. The patch > should work fine as-is on DOS_NT, but it'd be nicer if the > DOS_NT support could supply an euidaccess function to allow > simplifying the mainline code. I'll CC: this bug report to > Eli to give him a heads-up. The FIXMEs are OK, but I see no reason for them to come _instead_ of comments which explain why 'access' is used instead of 'stat'. Those comments should be removed only when 'euidaccess' is implemented for those platforms. Regarding this hunk: > @@ -2626,8 +2594,7 @@ > should check ACLs though, which do affect this. */ > return (access (SDATA (dir), D_OK) < 0) ? Qnil : Qt; > #else > - return (check_writable (!NILP (dir) ? SSDATA (dir) : "") > - ? Qt : Qnil); > + return check_writable (SSDATA (dir)) ? Qt : Qnil; > #endif How will the new code work if 'dir' is nil? Also, what about lread.c:openp, around line 1555: doesn't it want 'euidaccess' as well, rather than 'stat'? I think using 'euidaccess' there will allow a further optimization, in that the call to 'stat' is not needed at all, because right below it we call either 'access' or 'emacs_open'. ^ permalink raw reply [flat|nested] 47+ messages in thread
* bug#12632: file permissions checking mishandled when setuid 2012-10-13 7:23 ` Eli Zaretskii @ 2012-10-13 8:36 ` Eli Zaretskii 2012-10-14 6:16 ` Paul Eggert 0 siblings, 1 reply; 47+ messages in thread From: Eli Zaretskii @ 2012-10-13 8:36 UTC (permalink / raw) To: eggert; +Cc: 12632 In addition, I don't understand why is it a good idea to use 'euidaccess' in check_existing. Isn't the fact of the mere existence of a file independent of user's access rights? If 'access' is as good here as 'euidaccess', I think we should use the former, as it is less expensive than the latter (AFAIU). ^ permalink raw reply [flat|nested] 47+ messages in thread
* bug#12632: file permissions checking mishandled when setuid 2012-10-13 8:36 ` Eli Zaretskii @ 2012-10-14 6:16 ` Paul Eggert 2012-10-14 6:56 ` Eli Zaretskii 0 siblings, 1 reply; 47+ messages in thread From: Paul Eggert @ 2012-10-14 6:16 UTC (permalink / raw) To: Eli Zaretskii; +Cc: 12632 [-- Attachment #1: Type: text/plain, Size: 971 bytes --] On 10/13/2012 12:23 AM, Eli Zaretskii wrote: > The FIXMEs are OK, but I see no reason for them to come _instead_ of > comments which explain why 'access' is used instead of 'stat'. OK, I left those comments alone in the attached revision of the patch. > How will the new code work if 'dir' is nil? 'dir' can't be nil there. But this is a separate issue, so I've omitted that change from the revised patch. > Also, what about lread.c:openp, around line 1555: doesn't it want > 'euidaccess' as well, rather than 'stat'? Sure, we can do that. Done in the revised patch. > I don't understand why is it a good idea to use 'euidaccess' in > check_existing. Isn't the fact of the mere existence of a file > independent of user's access rights? No, because you cannot even stat a file that's in a directory that you can't search. Using 'access' rather than 'euidaccess' might let a setuid Emacs search directories that it shouldn't be able to search, or vice versa. [-- Attachment #2: euidaccess.txt --] [-- Type: text/plain, Size: 47247 bytes --] === modified file 'ChangeLog' --- ChangeLog 2012-10-11 11:29:47 +0000 +++ ChangeLog 2012-10-14 06:03:50 +0000 @@ -1,3 +1,12 @@ +2012-10-14 Paul Eggert <eggert@cs.ucla.edu> + + Use euidaccess, not access, when checking file permissions (Bug#12632). + * configure.ac (euidaccess): Remove check; gnulib does this for us now. + * lib/euidaccess.c, lib/getgroups.c, lib/group-member.c: + * lib/root-uid.h, lib/xalloc-oversized.h, m4/euidaccess.m4: + * m4/getgroups.m4, m4/group-member.m4: New files, from gnulib. + * lib/gnulib.mk, m4/gnulib-comp.m4: Regenerate. + 2012-10-11 Kenichi Handa <handa@gnu.org> * .bzrignore: Add several files under admin/charsets. === modified file 'admin/ChangeLog' --- admin/ChangeLog 2012-10-11 11:29:47 +0000 +++ admin/ChangeLog 2012-10-14 06:03:50 +0000 @@ -1,3 +1,9 @@ +2012-10-14 Paul Eggert <eggert@cs.ucla.edu> + + Use euidaccess, not access, when checking file permissions (Bug#12632). + * merge-gnulib (GNULIB_MODULES): Add euidaccess. + (GNULIB_TOOL_FLAGS): Avoid malloc-posix. + 2012-10-11 Kenichi Handa <handa@gnu.org> * charsets/mapconv: Adjusted for the change of mapfiles/*.gz to === modified file 'admin/merge-gnulib' --- admin/merge-gnulib 2012-09-27 01:06:23 +0000 +++ admin/merge-gnulib 2012-10-12 23:28:31 +0000 @@ -28,7 +28,7 @@ GNULIB_MODULES=' alloca-opt c-ctype c-strcase careadlinkat crypto/md5 crypto/sha1 crypto/sha256 crypto/sha512 - dtoastr dtotimespec dup2 environ execinfo + dtoastr dtotimespec dup2 environ euidaccess execinfo filemode getloadavg getopt-gnu gettime gettimeofday ignore-value intprops largefile lstat manywarnings mktime pselect pthread_sigmask readlink @@ -40,7 +40,7 @@ GNULIB_TOOL_FLAGS=' --avoid=errno --avoid=fcntl --avoid=fcntl-h --avoid=fstat - --avoid=msvc-inval --avoid=msvc-nothrow + --avoid=malloc-posix --avoid=msvc-inval --avoid=msvc-nothrow --avoid=raise --avoid=select --avoid=sigprocmask --avoid=sys_types --avoid=threadlib --conditional-dependencies --import --no-changelog --no-vc-files === modified file 'configure.ac' --- configure.ac 2012-10-08 16:09:00 +0000 +++ configure.ac 2012-10-12 23:28:31 +0000 @@ -2872,7 +2872,7 @@ AC_CHECK_FUNCS(gethostname \ closedir getrusage get_current_dir_name \ lrand48 setsid \ -fpathconf select euidaccess getpagesize setlocale \ +fpathconf select getpagesize setlocale \ utimes getrlimit setrlimit setpgid getcwd shutdown getaddrinfo \ __fpending strsignal setitimer \ sendto recvfrom getsockname getpeername getifaddrs freeifaddrs \ === added file 'lib/euidaccess.c' --- lib/euidaccess.c 1970-01-01 00:00:00 +0000 +++ lib/euidaccess.c 2012-10-12 23:28:31 +0000 @@ -0,0 +1,221 @@ +/* euidaccess -- check if effective user id can access file + + Copyright (C) 1990-1991, 1995, 1998, 2000, 2003-2006, 2008-2012 Free + Software Foundation, Inc. + + This file is part of the GNU C Library. + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. */ + +/* Written by David MacKenzie and Torbjorn Granlund. + Adapted for GNU C library by Roland McGrath. */ + +#ifndef _LIBC +# include <config.h> +#endif + +#include <fcntl.h> +#include <sys/types.h> +#include <sys/stat.h> +#include <unistd.h> + +#include "root-uid.h" + +#if HAVE_LIBGEN_H +# include <libgen.h> +#endif + +#include <errno.h> +#ifndef __set_errno +# define __set_errno(val) errno = (val) +#endif + +#if defined EACCES && !defined EACCESS +# define EACCESS EACCES +#endif + +#ifndef F_OK +# define F_OK 0 +# define X_OK 1 +# define W_OK 2 +# define R_OK 4 +#endif + + +#ifdef _LIBC + +# define access __access +# define getuid __getuid +# define getgid __getgid +# define geteuid __geteuid +# define getegid __getegid +# define group_member __group_member +# define euidaccess __euidaccess +# undef stat +# define stat stat64 + +#endif + +/* Return 0 if the user has permission of type MODE on FILE; + otherwise, return -1 and set 'errno'. + Like access, except that it uses the effective user and group + id's instead of the real ones, and it does not always check for read-only + file system, text busy, etc. */ + +int +euidaccess (const char *file, int mode) +{ +#if HAVE_FACCESSAT /* glibc, AIX 7, Solaris 11, Cygwin 1.7 */ + return faccessat (AT_FDCWD, file, mode, AT_EACCESS); +#elif defined EFF_ONLY_OK /* IRIX, OSF/1, Interix */ + return access (file, mode | EFF_ONLY_OK); +#elif defined ACC_SELF /* AIX */ + return accessx (file, mode, ACC_SELF); +#elif HAVE_EACCESS /* FreeBSD */ + return eaccess (file, mode); +#else /* Mac OS X, NetBSD, OpenBSD, HP-UX, Solaris, Cygwin, mingw, BeOS */ + + uid_t uid = getuid (); + gid_t gid = getgid (); + uid_t euid = geteuid (); + gid_t egid = getegid (); + struct stat stats; + +# if HAVE_DECL_SETREGID && PREFER_NONREENTRANT_EUIDACCESS + + /* Define PREFER_NONREENTRANT_EUIDACCESS if you prefer euidaccess to + return the correct result even if this would make it + nonreentrant. Define this only if your entire application is + safe even if the uid or gid might temporarily change. If your + application uses signal handlers or threads it is probably not + safe. */ + + if (mode == F_OK) + return stat (file, &stats); + else + { + int result; + int saved_errno; + + if (uid != euid) + setreuid (euid, uid); + if (gid != egid) + setregid (egid, gid); + + result = access (file, mode); + saved_errno = errno; + + /* Restore them. */ + if (uid != euid) + setreuid (uid, euid); + if (gid != egid) + setregid (gid, egid); + + errno = saved_errno; + return result; + } + +# else + + /* The following code assumes the traditional Unix model, and is not + correct on systems that have ACLs or the like. However, it's + better than nothing, and it is reentrant. */ + + unsigned int granted; + if (uid == euid && gid == egid) + /* If we are not set-uid or set-gid, access does the same. */ + return access (file, mode); + + if (stat (file, &stats) != 0) + return -1; + + /* The super-user can read and write any file, and execute any file + that anyone can execute. */ + if (euid == ROOT_UID + && ((mode & X_OK) == 0 + || (stats.st_mode & (S_IXUSR | S_IXGRP | S_IXOTH)))) + return 0; + + /* Convert the mode to traditional form, clearing any bogus bits. */ + if (R_OK == 4 && W_OK == 2 && X_OK == 1 && F_OK == 0) + mode &= 7; + else + mode = ((mode & R_OK ? 4 : 0) + + (mode & W_OK ? 2 : 0) + + (mode & X_OK ? 1 : 0)); + + if (mode == 0) + return 0; /* The file exists. */ + + /* Convert the file's permission bits to traditional form. */ + if (S_IRUSR == (4 << 6) && S_IWUSR == (2 << 6) && S_IXUSR == (1 << 6) + && S_IRGRP == (4 << 3) && S_IWGRP == (2 << 3) && S_IXGRP == (1 << 3) + && S_IROTH == (4 << 0) && S_IWOTH == (2 << 0) && S_IXOTH == (1 << 0)) + granted = stats.st_mode; + else + granted = ((stats.st_mode & S_IRUSR ? 4 << 6 : 0) + + (stats.st_mode & S_IWUSR ? 2 << 6 : 0) + + (stats.st_mode & S_IXUSR ? 1 << 6 : 0) + + (stats.st_mode & S_IRGRP ? 4 << 3 : 0) + + (stats.st_mode & S_IWGRP ? 2 << 3 : 0) + + (stats.st_mode & S_IXGRP ? 1 << 3 : 0) + + (stats.st_mode & S_IROTH ? 4 << 0 : 0) + + (stats.st_mode & S_IWOTH ? 2 << 0 : 0) + + (stats.st_mode & S_IXOTH ? 1 << 0 : 0)); + + if (euid == stats.st_uid) + granted >>= 6; + else if (egid == stats.st_gid || group_member (stats.st_gid)) + granted >>= 3; + + if ((mode & ~granted) == 0) + return 0; + __set_errno (EACCESS); + return -1; + +# endif +#endif +} +#undef euidaccess +#ifdef weak_alias +weak_alias (__euidaccess, euidaccess) +#endif +\f +#ifdef TEST +# include <error.h> +# include <stdio.h> +# include <stdlib.h> + +char *program_name; + +int +main (int argc, char **argv) +{ + char *file; + int mode; + int err; + + program_name = argv[0]; + if (argc < 3) + abort (); + file = argv[1]; + mode = atoi (argv[2]); + + err = euidaccess (file, mode); + printf ("%d\n", err); + if (err != 0) + error (0, errno, "%s", file); + exit (0); +} +#endif === added file 'lib/getgroups.c' --- lib/getgroups.c 1970-01-01 00:00:00 +0000 +++ lib/getgroups.c 2012-10-12 23:28:31 +0000 @@ -0,0 +1,116 @@ +/* provide consistent interface to getgroups for systems that don't allow N==0 + + Copyright (C) 1996, 1999, 2003, 2006-2012 Free Software Foundation, Inc. + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. */ + +/* written by Jim Meyering */ + +#include <config.h> + +#include <unistd.h> + +#include <errno.h> +#include <stdlib.h> +#include <stdint.h> + +#if !HAVE_GETGROUPS + +/* Provide a stub that fails with ENOSYS, since there is no group + information available on mingw. */ +int +getgroups (int n _GL_UNUSED, GETGROUPS_T *groups _GL_UNUSED) +{ + errno = ENOSYS; + return -1; +} + +#else /* HAVE_GETGROUPS */ + +# undef getgroups +# ifndef GETGROUPS_ZERO_BUG +# define GETGROUPS_ZERO_BUG 0 +# endif + +/* On at least Ultrix 4.3 and NextStep 3.2, getgroups (0, NULL) always + fails. On other systems, it returns the number of supplemental + groups for the process. This function handles that special case + and lets the system-provided function handle all others. However, + it can fail with ENOMEM if memory is tight. It is unspecified + whether the effective group id is included in the list. */ + +int +rpl_getgroups (int n, gid_t *group) +{ + int n_groups; + GETGROUPS_T *gbuf; + int saved_errno; + + if (n < 0) + { + errno = EINVAL; + return -1; + } + + if (n != 0 || !GETGROUPS_ZERO_BUG) + { + int result; + if (sizeof *group == sizeof *gbuf) + return getgroups (n, (GETGROUPS_T *) group); + + if (SIZE_MAX / sizeof *gbuf <= n) + { + errno = ENOMEM; + return -1; + } + gbuf = malloc (n * sizeof *gbuf); + if (!gbuf) + return -1; + result = getgroups (n, gbuf); + if (0 <= result) + { + n = result; + while (n--) + group[n] = gbuf[n]; + } + saved_errno = errno; + free (gbuf); + errno == saved_errno; + return result; + } + + n = 20; + while (1) + { + /* No need to worry about address arithmetic overflow here, + since the ancient systems that we're running on have low + limits on the number of secondary groups. */ + gbuf = malloc (n * sizeof *gbuf); + if (!gbuf) + return -1; + n_groups = getgroups (n, gbuf); + if (n_groups == -1 ? errno != EINVAL : n_groups < n) + break; + free (gbuf); + n *= 2; + } + + saved_errno = errno; + free (gbuf); + errno = saved_errno; + + return n_groups; +} + +#endif /* HAVE_GETGROUPS */ === modified file 'lib/gnulib.mk' --- lib/gnulib.mk 2012-10-04 07:15:42 +0000 +++ lib/gnulib.mk 2012-10-12 23:28:31 +0000 @@ -21,7 +21,7 @@ # the same distribution terms as the rest of that program. # # Generated by gnulib-tool. -# Reproduce by: gnulib-tool --import --dir=. --lib=libgnu --source-base=lib --m4-base=m4 --doc-base=doc --tests-base=tests --aux-dir=build-aux --avoid=errno --avoid=fcntl --avoid=fcntl-h --avoid=fstat --avoid=msvc-inval --avoid=msvc-nothrow --avoid=raise --avoid=select --avoid=sigprocmask --avoid=sys_types --avoid=threadlib --makefile-name=gnulib.mk --conditional-dependencies --no-libtool --macro-prefix=gl --no-vc-files alloca-opt c-ctype c-strcase careadlinkat crypto/md5 crypto/sha1 crypto/sha256 crypto/sha512 dtoastr dtotimespec dup2 environ execinfo filemode getloadavg getopt-gnu gettime gettimeofday ignore-value intprops largefile lstat manywarnings mktime pselect pthread_sigmask readlink socklen stat-time stdalign stdarg stdbool stdio strftime strtoimax strtoumax symlink sys_stat sys_time time timer-time timespec-add timespec-sub utimens warnings +# Reproduce by: gnulib-tool --import --dir=. --lib=libgnu --source-base=lib --m4-base=m4 --doc-base=doc --tests-base=tests --aux-dir=build-aux --avoid=errno --avoid=fcntl --avoid=fcntl-h --avoid=fstat --avoid=malloc-posix --avoid=msvc-inval --avoid=msvc-nothrow --avoid=raise --avoid=select --avoid=sigprocmask --avoid=sys_types --avoid=threadlib --makefile-name=gnulib.mk --conditional-dependencies --no-libtool --macro-prefix=gl --no-vc-files alloca-opt c-ctype c-strcase careadlinkat crypto/md5 crypto/sha1 crypto/sha256 crypto/sha512 dtoastr dtotimespec dup2 environ euidaccess execinfo filemode getloadavg getopt-gnu gettime gettimeofday ignore-value intprops largefile lstat manywarnings mktime pselect pthread_sigmask readlink socklen stat-time stdalign stdarg stdbool stdio strftime strtoimax strtoumax symlink sys_stat sys_time time timer-time timespec-add timespec-sub utimens warnings MOSTLYCLEANFILES += core *.stackdump @@ -150,6 +150,15 @@ ## end gnulib module dup2 +## begin gnulib module euidaccess + + +EXTRA_DIST += euidaccess.c + +EXTRA_libgnu_a_SOURCES += euidaccess.c + +## end gnulib module euidaccess + ## begin gnulib module execinfo BUILT_SOURCES += $(EXECINFO_H) @@ -183,6 +192,17 @@ ## end gnulib module filemode +## begin gnulib module getgroups + +if gl_GNULIB_ENABLED_getgroups + +endif +EXTRA_DIST += getgroups.c + +EXTRA_libgnu_a_SOURCES += getgroups.c + +## end gnulib module getgroups + ## begin gnulib module getloadavg @@ -242,6 +262,17 @@ ## end gnulib module gettimeofday +## begin gnulib module group-member + +if gl_GNULIB_ENABLED_a9786850e999ae65a836a6041e8e5ed1 + +endif +EXTRA_DIST += group-member.c + +EXTRA_libgnu_a_SOURCES += group-member.c + +## end gnulib module group-member + ## begin gnulib module ignore-value @@ -354,6 +385,13 @@ ## end gnulib module readlink +## begin gnulib module root-uid + + +EXTRA_DIST += root-uid.h + +## end gnulib module root-uid + ## begin gnulib module signal-h BUILT_SOURCES += signal.h @@ -1312,6 +1350,15 @@ ## end gnulib module verify +## begin gnulib module xalloc-oversized + +if gl_GNULIB_ENABLED_682e609604ccaac6be382e4ee3a4eaec + +endif +EXTRA_DIST += xalloc-oversized.h + +## end gnulib module xalloc-oversized + mostlyclean-local: mostlyclean-generic @for dir in '' $(MOSTLYCLEANDIRS); do \ === added file 'lib/group-member.c' --- lib/group-member.c 1970-01-01 00:00:00 +0000 +++ lib/group-member.c 2012-10-12 23:28:31 +0000 @@ -0,0 +1,119 @@ +/* group-member.c -- determine whether group id is in calling user's group list + + Copyright (C) 1994, 1997-1998, 2003, 2005-2006, 2009-2012 Free Software + Foundation, Inc. + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. */ + +#include <config.h> + +/* Specification. */ +#include <unistd.h> + +#include <stdio.h> +#include <sys/types.h> +#include <stdlib.h> + +#include "xalloc-oversized.h" + +/* Most processes have no more than this many groups, and for these + processes we can avoid using malloc. */ +enum { GROUPBUF_SIZE = 100 }; + +struct group_info + { + gid_t *group; + gid_t groupbuf[GROUPBUF_SIZE]; + }; + +static void +free_group_info (struct group_info const *g) +{ + if (g->group != g->groupbuf) + free (g->group); +} + +static int +get_group_info (struct group_info *gi) +{ + int n_groups = getgroups (GROUPBUF_SIZE, gi->groupbuf); + gi->group = gi->groupbuf; + + if (n_groups < 0) + { + int n_group_slots = getgroups (0, NULL); + if (0 <= n_group_slots + && ! xalloc_oversized (n_group_slots, sizeof *gi->group)) + { + gi->group = malloc (n_group_slots * sizeof *gi->group); + if (gi->group) + n_groups = getgroups (n_group_slots, gi->group); + } + } + + /* In case of error, the user loses. */ + return n_groups; +} + +/* Return non-zero if GID is one that we have in our groups list. + Note that the groups list is not guaranteed to contain the current + or effective group ID, so they should generally be checked + separately. */ + +int +group_member (gid_t gid) +{ + int i; + int found; + struct group_info gi; + int n_groups = get_group_info (&gi); + + /* Search through the list looking for GID. */ + found = 0; + for (i = 0; i < n_groups; i++) + { + if (gid == gi.group[i]) + { + found = 1; + break; + } + } + + free_group_info (&gi); + + return found; +} + +#ifdef TEST + +char *program_name; + +int +main (int argc, char **argv) +{ + int i; + + program_name = argv[0]; + + for (i = 1; i < argc; i++) + { + gid_t gid; + + gid = atoi (argv[i]); + printf ("%d: %s\n", gid, group_member (gid) ? "yes" : "no"); + } + exit (0); +} + +#endif /* TEST */ === added file 'lib/root-uid.h' --- lib/root-uid.h 1970-01-01 00:00:00 +0000 +++ lib/root-uid.h 2012-10-12 23:28:31 +0000 @@ -0,0 +1,30 @@ +/* The user ID that always has appropriate privileges in the POSIX sense. + + Copyright 2012 Free Software Foundation, Inc. + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. + + Written by Paul Eggert. */ + +#ifndef ROOT_UID_H_ +#define ROOT_UID_H_ + +/* The user ID that always has appropriate privileges in the POSIX sense. */ +#ifdef __TANDEM +# define ROOT_UID 65535 +#else +# define ROOT_UID 0 +#endif + +#endif === added file 'lib/xalloc-oversized.h' --- lib/xalloc-oversized.h 1970-01-01 00:00:00 +0000 +++ lib/xalloc-oversized.h 2012-10-12 23:28:31 +0000 @@ -0,0 +1,38 @@ +/* xalloc-oversized.h -- memory allocation size checking + + Copyright (C) 1990-2000, 2003-2004, 2006-2012 Free Software Foundation, Inc. + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. */ + +#ifndef XALLOC_OVERSIZED_H_ +# define XALLOC_OVERSIZED_H_ + +# include <stddef.h> + +/* Return 1 if an array of N objects, each of size S, cannot exist due + to size arithmetic overflow. S must be positive and N must be + nonnegative. This is a macro, not a function, so that it + works correctly even when SIZE_MAX < N. + + By gnulib convention, SIZE_MAX represents overflow in size + calculations, so the conservative dividend to use here is + SIZE_MAX - 1, since SIZE_MAX might represent an overflowed value. + However, malloc (SIZE_MAX) fails on all known hosts where + sizeof (ptrdiff_t) <= sizeof (size_t), so do not bother to test for + exactly-SIZE_MAX allocations on such hosts; this avoids a test and + branch when S is known to be 1. */ +# define xalloc_oversized(n, s) \ + ((size_t) (sizeof (ptrdiff_t) <= sizeof (size_t) ? -1 : -2) / (s) < (n)) + +#endif /* !XALLOC_OVERSIZED_H_ */ === added file 'm4/euidaccess.m4' --- m4/euidaccess.m4 1970-01-01 00:00:00 +0000 +++ m4/euidaccess.m4 2012-10-12 23:28:31 +0000 @@ -0,0 +1,52 @@ +# euidaccess.m4 serial 14 +dnl Copyright (C) 2002-2012 Free Software Foundation, Inc. +dnl This file is free software; the Free Software Foundation +dnl gives unlimited permission to copy and/or distribute it, +dnl with or without modifications, as long as this notice is preserved. + +AC_DEFUN([gl_FUNC_NONREENTRANT_EUIDACCESS], +[ + AC_REQUIRE([gl_FUNC_EUIDACCESS]) + AC_DEFINE([PREFER_NONREENTRANT_EUIDACCESS], [1], + [Define this if you prefer euidaccess to return the correct result + even if this would make it nonreentrant. Define this only if your + entire application is safe even if the uid or gid might temporarily + change. If your application uses signal handlers or threads it + is probably not safe.]) +]) + +AC_DEFUN([gl_FUNC_EUIDACCESS], +[ + AC_REQUIRE([gl_UNISTD_H_DEFAULTS]) + + dnl Persuade glibc <unistd.h> to declare euidaccess(). + AC_REQUIRE([AC_USE_SYSTEM_EXTENSIONS]) + + AC_CHECK_FUNCS([euidaccess]) + if test $ac_cv_func_euidaccess = no; then + HAVE_EUIDACCESS=0 + fi +]) + +# Prerequisites of lib/euidaccess.c. +AC_DEFUN([gl_PREREQ_EUIDACCESS], [ + dnl Prefer POSIX faccessat over non-standard euidaccess. + AC_CHECK_FUNCS_ONCE([faccessat]) + dnl Try various other non-standard fallbacks. + AC_CHECK_HEADERS_ONCE([libgen.h]) + AC_CHECK_DECLS_ONCE([setregid]) + AC_REQUIRE([AC_FUNC_GETGROUPS]) + + # Solaris 9 and 10 need -lgen to get the eaccess function. + # Save and restore LIBS so -lgen isn't added to it. Otherwise, *all* + # programs in the package would end up linked with that potentially-shared + # library, inducing unnecessary run-time overhead. + LIB_EACCESS= + AC_SUBST([LIB_EACCESS]) + gl_saved_libs=$LIBS + AC_SEARCH_LIBS([eaccess], [gen], + [test "$ac_cv_search_eaccess" = "none required" || + LIB_EACCESS=$ac_cv_search_eaccess]) + AC_CHECK_FUNCS([eaccess]) + LIBS=$gl_saved_libs +]) === added file 'm4/getgroups.m4' --- m4/getgroups.m4 1970-01-01 00:00:00 +0000 +++ m4/getgroups.m4 2012-10-12 23:28:31 +0000 @@ -0,0 +1,107 @@ +# serial 18 + +dnl From Jim Meyering. +dnl A wrapper around AC_FUNC_GETGROUPS. + +# Copyright (C) 1996-1997, 1999-2004, 2008-2012 Free Software Foundation, Inc. +# +# This file is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +m4_version_prereq([2.70], [] ,[ + +# This is taken from the following Autoconf patch: +# http://git.savannah.gnu.org/gitweb/?p=autoconf.git;a=commitdiff;h=7fbb553727ed7e0e689a17594b58559ecf3ea6e9 +AC_DEFUN([AC_FUNC_GETGROUPS], +[ + AC_REQUIRE([AC_TYPE_GETGROUPS])dnl + AC_REQUIRE([AC_TYPE_SIZE_T])dnl + AC_REQUIRE([AC_CANONICAL_HOST])dnl for cross-compiles + AC_CHECK_FUNC([getgroups]) + + # If we don't yet have getgroups, see if it's in -lbsd. + # This is reported to be necessary on an ITOS 3000WS running SEIUX 3.1. + ac_save_LIBS=$LIBS + if test $ac_cv_func_getgroups = no; then + AC_CHECK_LIB(bsd, getgroups, [GETGROUPS_LIB=-lbsd]) + fi + + # Run the program to test the functionality of the system-supplied + # getgroups function only if there is such a function. + if test $ac_cv_func_getgroups = yes; then + AC_CACHE_CHECK([for working getgroups], [ac_cv_func_getgroups_works], + [AC_RUN_IFELSE( + [AC_LANG_PROGRAM( + [AC_INCLUDES_DEFAULT], + [[/* On Ultrix 4.3, getgroups (0, 0) always fails. */ + return getgroups (0, 0) == -1;]]) + ], + [ac_cv_func_getgroups_works=yes], + [ac_cv_func_getgroups_works=no], + [case "$host_os" in # (( + # Guess yes on glibc systems. + *-gnu*) ac_cv_func_getgroups_works="guessing yes" ;; + # If we don't know, assume the worst. + *) ac_cv_func_getgroups_works="guessing no" ;; + esac + ]) + ]) + else + ac_cv_func_getgroups_works=no + fi + case "$ac_cv_func_getgroups_works" in + *yes) + AC_DEFINE([HAVE_GETGROUPS], [1], + [Define to 1 if your system has a working `getgroups' function.]) + ;; + esac + LIBS=$ac_save_LIBS +])# AC_FUNC_GETGROUPS + +]) + +AC_DEFUN([gl_FUNC_GETGROUPS], +[ + AC_REQUIRE([AC_TYPE_GETGROUPS]) + AC_REQUIRE([gl_UNISTD_H_DEFAULTS]) + AC_REQUIRE([AC_CANONICAL_HOST]) dnl for cross-compiles + + AC_FUNC_GETGROUPS + if test $ac_cv_func_getgroups != yes; then + HAVE_GETGROUPS=0 + else + if test "$ac_cv_type_getgroups" != gid_t \ + || { case "$ac_cv_func_getgroups_works" in + *yes) false;; + *) true;; + esac + }; then + REPLACE_GETGROUPS=1 + AC_DEFINE([GETGROUPS_ZERO_BUG], [1], [Define this to 1 if + getgroups(0,NULL) does not return the number of groups.]) + else + dnl Detect FreeBSD bug; POSIX requires getgroups(-1,ptr) to fail. + AC_CACHE_CHECK([whether getgroups handles negative values], + [gl_cv_func_getgroups_works], + [AC_RUN_IFELSE([AC_LANG_PROGRAM([AC_INCLUDES_DEFAULT], + [[int size = getgroups (0, 0); + gid_t *list = malloc (size * sizeof *list); + return getgroups (-1, list) != -1;]])], + [gl_cv_func_getgroups_works=yes], + [gl_cv_func_getgroups_works=no], + [case "$host_os" in + # Guess yes on glibc systems. + *-gnu*) gl_cv_func_getgroups_works="guessing yes" ;; + # If we don't know, assume the worst. + *) gl_cv_func_getgroups_works="guessing no" ;; + esac + ])]) + case "$gl_cv_func_getgroups_works" in + *yes) ;; + *) REPLACE_GETGROUPS=1 ;; + esac + fi + fi + test -n "$GETGROUPS_LIB" && LIBS="$GETGROUPS_LIB $LIBS" +]) === modified file 'm4/gnulib-comp.m4' --- m4/gnulib-comp.m4 2012-09-27 01:06:23 +0000 +++ m4/gnulib-comp.m4 2012-10-12 23:28:31 +0000 @@ -53,17 +53,20 @@ # Code from module dtotimespec: # Code from module dup2: # Code from module environ: + # Code from module euidaccess: # Code from module execinfo: # Code from module extensions: AC_REQUIRE([gl_USE_SYSTEM_EXTENSIONS]) # Code from module extern-inline: # Code from module filemode: + # Code from module getgroups: # Code from module getloadavg: # Code from module getopt-gnu: # Code from module getopt-posix: # Code from module gettext-h: # Code from module gettime: # Code from module gettimeofday: + # Code from module group-member: # Code from module ignore-value: # Code from module include_next: # Code from module intprops: @@ -79,6 +82,7 @@ # Code from module pselect: # Code from module pthread_sigmask: # Code from module readlink: + # Code from module root-uid: # Code from module signal-h: # Code from module snippet/_Noreturn: # Code from module snippet/arg-nonnull: @@ -120,6 +124,7 @@ # Code from module utimens: # Code from module verify: # Code from module warnings: + # Code from module xalloc-oversized: ]) # This macro should be invoked from ./configure.ac, in the section @@ -154,6 +159,12 @@ gl_UNISTD_MODULE_INDICATOR([dup2]) gl_ENVIRON gl_UNISTD_MODULE_INDICATOR([environ]) + gl_FUNC_EUIDACCESS + if test $HAVE_EUIDACCESS = 0; then + AC_LIBOBJ([euidaccess]) + gl_PREREQ_EUIDACCESS + fi + gl_UNISTD_MODULE_INDICATOR([euidaccess]) gl_EXECINFO_H AC_REQUIRE([gl_EXTERN_INLINE]) gl_FILEMODE @@ -269,18 +280,32 @@ gl_UNISTD_H gl_UTIMENS gl_gnulib_enabled_dosname=false + gl_gnulib_enabled_getgroups=false gl_gnulib_enabled_be453cec5eecf5731a274f2de7f2db36=false + gl_gnulib_enabled_a9786850e999ae65a836a6041e8e5ed1=false gl_gnulib_enabled_pathmax=false gl_gnulib_enabled_stat=false gl_gnulib_enabled_strtoll=false gl_gnulib_enabled_strtoull=false gl_gnulib_enabled_verify=false + gl_gnulib_enabled_682e609604ccaac6be382e4ee3a4eaec=false func_gl_gnulib_m4code_dosname () { if ! $gl_gnulib_enabled_dosname; then gl_gnulib_enabled_dosname=true fi } + func_gl_gnulib_m4code_getgroups () + { + if ! $gl_gnulib_enabled_getgroups; then + gl_FUNC_GETGROUPS + if test $HAVE_GETGROUPS = 0 || test $REPLACE_GETGROUPS = 1; then + AC_LIBOBJ([getgroups]) + fi + gl_UNISTD_MODULE_INDICATOR([getgroups]) + gl_gnulib_enabled_getgroups=true + fi + } func_gl_gnulib_m4code_be453cec5eecf5731a274f2de7f2db36 () { if ! $gl_gnulib_enabled_be453cec5eecf5731a274f2de7f2db36; then @@ -289,6 +314,24 @@ gl_gnulib_enabled_be453cec5eecf5731a274f2de7f2db36=true fi } + func_gl_gnulib_m4code_a9786850e999ae65a836a6041e8e5ed1 () + { + if ! $gl_gnulib_enabled_a9786850e999ae65a836a6041e8e5ed1; then + gl_FUNC_GROUP_MEMBER + if test $HAVE_GROUP_MEMBER = 0; then + AC_LIBOBJ([group-member]) + gl_PREREQ_GROUP_MEMBER + fi + gl_UNISTD_MODULE_INDICATOR([group-member]) + gl_gnulib_enabled_a9786850e999ae65a836a6041e8e5ed1=true + if test $HAVE_GROUP_MEMBER = 0; then + func_gl_gnulib_m4code_getgroups + fi + if test $HAVE_GROUP_MEMBER = 0; then + func_gl_gnulib_m4code_682e609604ccaac6be382e4ee3a4eaec + fi + fi + } func_gl_gnulib_m4code_pathmax () { if ! $gl_gnulib_enabled_pathmax; then @@ -347,6 +390,18 @@ gl_gnulib_enabled_verify=true fi } + func_gl_gnulib_m4code_682e609604ccaac6be382e4ee3a4eaec () + { + if ! $gl_gnulib_enabled_682e609604ccaac6be382e4ee3a4eaec; then + gl_gnulib_enabled_682e609604ccaac6be382e4ee3a4eaec=true + fi + } + if test $HAVE_EUIDACCESS = 0; then + func_gl_gnulib_m4code_a9786850e999ae65a836a6041e8e5ed1 + fi + if test $HAVE_EUIDACCESS = 0; then + func_gl_gnulib_m4code_stat + fi if test $REPLACE_GETOPT = 1; then func_gl_gnulib_m4code_be453cec5eecf5731a274f2de7f2db36 fi @@ -373,12 +428,15 @@ fi m4_pattern_allow([^gl_GNULIB_ENABLED_]) AM_CONDITIONAL([gl_GNULIB_ENABLED_dosname], [$gl_gnulib_enabled_dosname]) + AM_CONDITIONAL([gl_GNULIB_ENABLED_getgroups], [$gl_gnulib_enabled_getgroups]) AM_CONDITIONAL([gl_GNULIB_ENABLED_be453cec5eecf5731a274f2de7f2db36], [$gl_gnulib_enabled_be453cec5eecf5731a274f2de7f2db36]) + AM_CONDITIONAL([gl_GNULIB_ENABLED_a9786850e999ae65a836a6041e8e5ed1], [$gl_gnulib_enabled_a9786850e999ae65a836a6041e8e5ed1]) AM_CONDITIONAL([gl_GNULIB_ENABLED_pathmax], [$gl_gnulib_enabled_pathmax]) AM_CONDITIONAL([gl_GNULIB_ENABLED_stat], [$gl_gnulib_enabled_stat]) AM_CONDITIONAL([gl_GNULIB_ENABLED_strtoll], [$gl_gnulib_enabled_strtoll]) AM_CONDITIONAL([gl_GNULIB_ENABLED_strtoull], [$gl_gnulib_enabled_strtoull]) AM_CONDITIONAL([gl_GNULIB_ENABLED_verify], [$gl_gnulib_enabled_verify]) + AM_CONDITIONAL([gl_GNULIB_ENABLED_682e609604ccaac6be382e4ee3a4eaec], [$gl_gnulib_enabled_682e609604ccaac6be382e4ee3a4eaec]) # End of code from modules m4_ifval(gl_LIBSOURCES_LIST, [ m4_syscmd([test ! -d ]m4_defn([gl_LIBSOURCES_DIR])[ || @@ -538,12 +596,14 @@ lib/dtoastr.c lib/dtotimespec.c lib/dup2.c + lib/euidaccess.c lib/execinfo.c lib/execinfo.in.h lib/filemode.c lib/filemode.h lib/ftoastr.c lib/ftoastr.h + lib/getgroups.c lib/getloadavg.c lib/getopt.c lib/getopt.in.h @@ -552,6 +612,7 @@ lib/gettext.h lib/gettime.c lib/gettimeofday.c + lib/group-member.c lib/ignore-value.h lib/intprops.h lib/inttypes.in.h @@ -564,6 +625,7 @@ lib/pselect.c lib/pthread_sigmask.c lib/readlink.c + lib/root-uid.h lib/sha1.c lib/sha1.h lib/sha256.c @@ -605,21 +667,25 @@ lib/utimens.c lib/utimens.h lib/verify.h + lib/xalloc-oversized.h m4/00gnulib.m4 m4/alloca.m4 m4/c-strtod.m4 m4/clock_time.m4 m4/dup2.m4 m4/environ.m4 + m4/euidaccess.m4 m4/execinfo.m4 m4/extensions.m4 m4/extern-inline.m4 m4/filemode.m4 + m4/getgroups.m4 m4/getloadavg.m4 m4/getopt.m4 m4/gettime.m4 m4/gettimeofday.m4 m4/gnulib-common.m4 + m4/group-member.m4 m4/include_next.m4 m4/inttypes.m4 m4/largefile.m4 === added file 'm4/group-member.m4' --- m4/group-member.m4 1970-01-01 00:00:00 +0000 +++ m4/group-member.m4 2012-10-12 23:28:31 +0000 @@ -0,0 +1,29 @@ +# serial 14 + +# Copyright (C) 1999-2001, 2003-2007, 2009-2012 Free Software Foundation, Inc. + +# This file is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +dnl Written by Jim Meyering + +AC_DEFUN([gl_FUNC_GROUP_MEMBER], +[ + AC_REQUIRE([gl_UNISTD_H_DEFAULTS]) + + dnl Persuade glibc <unistd.h> to declare group_member(). + AC_REQUIRE([AC_USE_SYSTEM_EXTENSIONS]) + + dnl Do this replacement check manually because I want the hyphen + dnl (not the underscore) in the filename. + AC_CHECK_FUNC([group_member], , [ + HAVE_GROUP_MEMBER=0 + ]) +]) + +# Prerequisites of lib/group-member.c. +AC_DEFUN([gl_PREREQ_GROUP_MEMBER], +[ + AC_REQUIRE([AC_FUNC_GETGROUPS]) +]) === modified file 'src/ChangeLog' --- src/ChangeLog 2012-10-14 00:17:07 +0000 +++ src/ChangeLog 2012-10-14 06:02:52 +0000 @@ -1,3 +1,27 @@ +2012-10-14 Paul Eggert <eggert@cs.ucla.edu> + + Use euidaccess, not access, when checking file permissions (Bug#12632). + * Makefile.in (LIB_EACCESS): New macro. + (LIBES): Use it. + * callproc.c (init_callproc): + * charset.c (init_charset): + * fileio.c (check_existing) [!DOS_NT]: + (check_executable) [!DOS_NT && !HAVE_EUIDACCESS]: + * lread.c (openp, load_path_check): + * process.c (allocate_pty): + * xrdb.c (file_p): + Use euidaccess, not access. Use symbolic names instead of integers + for the flags, as they're portable now. + * fileio.c (Ffile_readable_p) [!DOS_NT && !macintosh]: + Use euidaccess, not stat + open + close. + (file_directory_p): New function, which uses 'stat' on most places + but 'access' (for efficiency) if WINDOWSNT. + (Ffile_directory_p): Use it. + * lisp.h (file_directory_p): New decl. + * lread.c (openp): When opening a file, use fstat rather than + stat, as that avoids a permissions race. When not opening a file, + use file_directory_p rather than stat. + 2012-10-13 Jan Djärv <jan.h.d@swipnet.se> * gtkutil.c (xg_set_widget_bg): Divide by 65535 (Bug#12612). === modified file 'src/Makefile.in' --- src/Makefile.in 2012-10-08 12:53:18 +0000 +++ src/Makefile.in 2012-10-13 01:49:41 +0000 @@ -150,6 +150,7 @@ M17N_FLT_LIBS = @M17N_FLT_LIBS@ LIB_CLOCK_GETTIME=@LIB_CLOCK_GETTIME@ +LIB_EACCESS=@LIB_EACCESS@ LIB_TIMER_TIME=@LIB_TIMER_TIME@ DBUS_CFLAGS = @DBUS_CFLAGS@ @@ -392,7 +393,7 @@ LIBES = $(LIBS) $(W32_LIBS) $(LIBX_BASE) $(LIBIMAGE) \ $(LIBX_OTHER) $(LIBSOUND) \ $(RSVG_LIBS) $(IMAGEMAGICK_LIBS) $(LIB_CLOCK_GETTIME) \ - $(LIB_TIMER_TIME) $(DBUS_LIBS) \ + $(LIB_EACCESS) $(LIB_TIMER_TIME) $(DBUS_LIBS) \ $(LIB_EXECINFO) \ $(LIBXML2_LIBS) $(LIBGPM) $(LIBRESOLV) $(LIBS_SYSTEM) \ $(LIBS_TERMCAP) $(GETLOADAVG_LIBS) $(SETTINGS_LIBS) $(LIBSELINUX_LIBS) \ === modified file 'src/callproc.c' --- src/callproc.c 2012-09-23 22:25:22 +0000 +++ src/callproc.c 2012-10-12 23:28:31 +0000 @@ -1597,13 +1597,13 @@ #endif { tempdir = Fdirectory_file_name (Vexec_directory); - if (access (SSDATA (tempdir), 0) < 0) + if (euidaccess (SSDATA (tempdir), F_OK) < 0) dir_warning ("Warning: arch-dependent data dir (%s) does not exist.\n", Vexec_directory); } tempdir = Fdirectory_file_name (Vdata_directory); - if (access (SSDATA (tempdir), 0) < 0) + if (euidaccess (SSDATA (tempdir), F_OK) < 0) dir_warning ("Warning: arch-independent data dir (%s) does not exist.\n", Vdata_directory); === modified file 'src/charset.c' --- src/charset.c 2012-10-01 06:36:54 +0000 +++ src/charset.c 2012-10-12 23:28:31 +0000 @@ -2293,7 +2293,7 @@ { Lisp_Object tempdir; tempdir = Fexpand_file_name (build_string ("charsets"), Vdata_directory); - if (access (SSDATA (tempdir), 0) < 0) + if (euidaccess (SSDATA (tempdir), F_OK) != 0) { /* This used to be non-fatal (dir_warning), but it should not happen, and if it does sooner or later it will cause some === modified file 'src/fileio.c' --- src/fileio.c 2012-10-13 08:55:26 +0000 +++ src/fileio.c 2012-10-14 06:02:52 +0000 @@ -2428,10 +2428,11 @@ /* The full emulation of Posix 'stat' is too expensive on DOS/Windows, when all we want to know is whether the file exists. So we use 'access' instead, which is much more lightweight. */ + /* FIXME: an euidaccess implementation should be added to the + DOS/Windows ports and this #ifdef branch should be removed. */ return (access (filename, F_OK) >= 0); #else - struct stat st; - return (stat (filename, &st) >= 0); + return euidaccess (filename, F_OK) == 0; #endif } @@ -2441,19 +2442,14 @@ check_executable (char *filename) { #ifdef DOS_NT + /* FIXME: an euidaccess implementation should be added to the + DOS/Windows ports and this #ifdef branch should be removed. */ struct stat st; if (stat (filename, &st) < 0) return 0; return ((st.st_mode & S_IEXEC) != 0); #else /* not DOS_NT */ -#ifdef HAVE_EUIDACCESS - return (euidaccess (filename, 1) >= 0); -#else - /* Access isn't quite right because it uses the real uid - and we really want to test with the effective uid. - But Unix doesn't give us a right way to do it. */ - return (access (filename, 1) >= 0); -#endif + return euidaccess (filename, X_OK) == 0; #endif /* not DOS_NT */ } @@ -2463,13 +2459,14 @@ check_writable (const char *filename) { #ifdef MSDOS + /* FIXME: an euidaccess implementation should be added to the + DOS/Windows ports and this #ifdef branch should be removed. */ struct stat st; if (stat (filename, &st) < 0) return 0; return (st.st_mode & S_IWRITE || S_ISDIR (st.st_mode)); #else /* not MSDOS */ -#ifdef HAVE_EUIDACCESS - bool res = (euidaccess (filename, 2) >= 0); + bool res = euidaccess (filename, W_OK) == 0; #ifdef CYGWIN /* euidaccess may have returned failure because Cygwin couldn't determine the file's UID or GID; if so, we return success. */ @@ -2482,14 +2479,6 @@ } #endif /* CYGWIN */ return res; -#else /* not HAVE_EUIDACCESS */ - /* Access isn't quite right because it uses the real uid - and we really want to test with the effective uid. - But Unix doesn't give us a right way to do it. - Opening with O_WRONLY could work for an ordinary file, - but would lose for directories. */ - return (access (filename, 2) >= 0); -#endif /* not HAVE_EUIDACCESS */ #endif /* not MSDOS */ } @@ -2546,9 +2535,6 @@ { Lisp_Object absname; Lisp_Object handler; - int desc; - int flags; - struct stat statbuf; CHECK_STRING (filename); absname = Fexpand_file_name (filename, Qnil); @@ -2562,28 +2548,13 @@ absname = ENCODE_FILE (absname); #if defined (DOS_NT) || defined (macintosh) - /* Under MS-DOS, Windows, and Macintosh, open does not work for - directories. */ + /* FIXME: an euidaccess implementation should be added to the + DOS/Windows ports and this #ifdef branch should be removed. */ if (access (SDATA (absname), 0) == 0) return Qt; return Qnil; #else /* not DOS_NT and not macintosh */ - flags = O_RDONLY; -#ifdef O_NONBLOCK - /* Opening a fifo without O_NONBLOCK can wait. - We don't want to wait. But we don't want to mess wth O_NONBLOCK - except in the case of a fifo, on a system which handles it. */ - desc = stat (SSDATA (absname), &statbuf); - if (desc < 0) - return Qnil; - if (S_ISFIFO (statbuf.st_mode)) - flags |= O_NONBLOCK; -#endif - desc = emacs_open (SSDATA (absname), flags, 0); - if (desc < 0) - return Qnil; - emacs_close (desc); - return Qt; + return euidaccess (SSDATA (absname), R_OK) == 0 ? Qt : Qnil; #endif /* not DOS_NT and not macintosh */ } @@ -2702,8 +2673,7 @@ See `file-symlink-p' to distinguish symlinks. */) (Lisp_Object filename) { - register Lisp_Object absname; - struct stat st; + Lisp_Object absname; Lisp_Object handler; absname = expand_and_dir_to_file (filename, BVAR (current_buffer, directory)); @@ -2716,9 +2686,20 @@ absname = ENCODE_FILE (absname); - if (stat (SSDATA (absname), &st) < 0) - return Qnil; - return S_ISDIR (st.st_mode) ? Qt : Qnil; + return file_directory_p (SSDATA (absname)) ? Qt : Qnil; +} + +/* Return true if FILE is a directory or a symlink to a directory. */ +bool +file_directory_p (char const *file) +{ +#ifdef WINDOWSNT + /* 'access' is cheaper than 'stat'. */ + return access (file, D_OK) == 0; +#else + struct stat st; + return stat (file, &st) == 0 && S_ISDIR (st.st_mode); +#endif } DEFUN ("file-accessible-directory-p", Ffile_accessible_directory_p, === modified file 'src/lisp.h' --- src/lisp.h 2012-10-12 15:19:54 +0000 +++ src/lisp.h 2012-10-14 06:00:40 +0000 @@ -3179,6 +3179,7 @@ extern Lisp_Object restore_point_unwind (Lisp_Object); extern _Noreturn void report_file_error (const char *, Lisp_Object); extern void internal_delete_file (Lisp_Object); +extern bool file_directory_p (const char *); extern void syms_of_fileio (void); extern Lisp_Object make_temp_name (Lisp_Object, bool); extern Lisp_Object Qdelete_file; === modified file 'src/lread.c' --- src/lread.c 2012-10-12 15:19:54 +0000 +++ src/lread.c 2012-10-14 06:00:40 +0000 @@ -1404,7 +1404,7 @@ If SUFFIXES is non-nil, it should be a list of suffixes to append to file name when searching. If non-nil, PREDICATE is used instead of `file-readable-p'. -PREDICATE can also be an integer to pass to the access(2) function, +PREDICATE can also be an integer to pass to the euidaccess(2) function, in which case file-name-handlers are ignored. This function will normally skip directories, so if you want it to find directories, make sure the PREDICATE function returns `dir-ok' for them. */) @@ -1442,7 +1442,6 @@ int openp (Lisp_Object path, Lisp_Object str, Lisp_Object suffixes, Lisp_Object *storeptr, Lisp_Object predicate) { - int fd; ptrdiff_t fn_size = 100; char buf[100]; char *fn = buf; @@ -1497,7 +1496,6 @@ { ptrdiff_t fnlen, lsuffix = SBYTES (XCAR (tail)); Lisp_Object handler; - bool exists; /* Concatenate path element/specified name with the suffix. If the directory starts with /:, remove that. */ @@ -1521,6 +1519,7 @@ handler = Ffind_file_name_handler (string, Qfile_exists_p); if ((!NILP (handler) || !NILP (predicate)) && !NATNUMP (predicate)) { + bool exists; if (NILP (predicate)) exists = !NILP (Ffile_readable_p (string)); else @@ -1542,37 +1541,38 @@ } else { -#ifndef WINDOWSNT - struct stat st; -#endif + int fd; const char *pfn; encoded_fn = ENCODE_FILE (string); pfn = SSDATA (encoded_fn); -#ifdef WINDOWSNT - exists = access (pfn, F_OK) == 0 && access (pfn, D_OK) < 0; -#else - exists = (stat (pfn, &st) == 0 && ! S_ISDIR (st.st_mode)); -#endif - if (exists) + + /* Check that we can access or open it. */ + if (NATNUMP (predicate)) + fd = (((XFASTINT (predicate) & ~INT_MAX) == 0 + && euidaccess (pfn, XFASTINT (predicate)) == 0 + && ! file_directory_p (pfn)) + ? 1 : -1); + else { - /* Check that we can access or open it. */ - if (NATNUMP (predicate)) - fd = (((XFASTINT (predicate) & ~INT_MAX) == 0 - && access (pfn, XFASTINT (predicate)) == 0) - ? 1 : -1); - else - fd = emacs_open (pfn, O_RDONLY, 0); - - if (fd >= 0) + struct stat st; + fd = emacs_open (pfn, O_RDONLY, 0); + if (0 <= fd + && (fstat (fd, &st) != 0 || S_ISDIR (st.st_mode))) { - /* We succeeded; return this descriptor and filename. */ - if (storeptr) - *storeptr = string; - UNGCPRO; - return fd; + emacs_close (fd); + fd = -1; } } + + if (fd >= 0) + { + /* We succeeded; return this descriptor and filename. */ + if (storeptr) + *storeptr = string; + UNGCPRO; + return fd; + } } } if (absolute) @@ -4088,7 +4088,7 @@ if (STRINGP (dirfile)) { dirfile = Fdirectory_file_name (dirfile); - if (access (SSDATA (dirfile), 0) < 0) + if (euidaccess (SSDATA (dirfile), F_OK) != 0) dir_warning ("Warning: Lisp directory `%s' does not exist.\n", XCAR (path_tail)); } === modified file 'src/process.c' --- src/process.c 2012-10-13 00:52:01 +0000 +++ src/process.c 2012-10-13 00:55:20 +0000 @@ -663,7 +663,7 @@ #else sprintf (pty_name, "/dev/tty%c%x", c, i); #endif /* no PTY_TTY_NAME_SPRINTF */ - if (access (pty_name, 6) != 0) + if (euidaccess (pty_name, R_OK | W_OK) != 0) { emacs_close (fd); # ifndef __sgi === modified file 'src/xrdb.c' --- src/xrdb.c 2012-09-15 07:06:56 +0000 +++ src/xrdb.c 2012-10-12 23:28:31 +0000 @@ -268,7 +268,7 @@ { struct stat status; - return (access (filename, 4) == 0 /* exists and is readable */ + return (euidaccess (filename, R_OK) == 0 /* exists and is readable */ && stat (filename, &status) == 0 /* get the status */ && (S_ISDIR (status.st_mode)) == 0); /* not a directory */ } ^ permalink raw reply [flat|nested] 47+ messages in thread
* bug#12632: file permissions checking mishandled when setuid 2012-10-14 6:16 ` Paul Eggert @ 2012-10-14 6:56 ` Eli Zaretskii 2012-10-14 18:14 ` Paul Eggert 0 siblings, 1 reply; 47+ messages in thread From: Eli Zaretskii @ 2012-10-14 6:56 UTC (permalink / raw) To: Paul Eggert; +Cc: 12632 > Date: Sat, 13 Oct 2012 23:16:44 -0700 > From: Paul Eggert <eggert@cs.ucla.edu> > CC: 12632@debbugs.gnu.org > > > How will the new code work if 'dir' is nil? > > 'dir' can't be nil there. file-name-directory can return nil, so 'dir' can be nil if the function is called with a name of a non-exiting file that has no leading directories. > > Also, what about lread.c:openp, around line 1555: doesn't it want > > 'euidaccess' as well, rather than 'stat'? > > Sure, we can do that. Done in the revised patch. > [...] > + > + /* Check that we can access or open it. */ > + if (NATNUMP (predicate)) > + fd = (((XFASTINT (predicate) & ~INT_MAX) == 0 > + && euidaccess (pfn, XFASTINT (predicate)) == 0 > + && ! file_directory_p (pfn)) > + ? 1 : -1); > + else This won't compile on Windows, since there's no 'euidaccess' (yet). > if (STRINGP (dirfile)) > { > dirfile = Fdirectory_file_name (dirfile); > - if (access (SSDATA (dirfile), 0) < 0) > + if (euidaccess (SSDATA (dirfile), F_OK) != 0) > dir_warning ("Warning: Lisp directory `%s' does not exist.\n", > XCAR (path_tail)); > } Same here. > > I don't understand why is it a good idea to use 'euidaccess' in > > check_existing. Isn't the fact of the mere existence of a file > > independent of user's access rights? > > No, because you cannot even stat a file that's in a directory that you > can't search. Using 'access' rather than 'euidaccess' might > let a setuid Emacs search directories that it shouldn't be able > to search, or vice versa. But that's not a concern for check_existing, I think. That's a concern for check_writable, file-accessible-directory, etc. IOW, Emacs should be able to test whether a file exists even if it will be unable to access it later. In any case, using 'euidaccess' here subtly changes the semantics of file-exists-p, so if we decide to do that, it should be documented as an incompatible change. ^ permalink raw reply [flat|nested] 47+ messages in thread
* bug#12632: file permissions checking mishandled when setuid 2012-10-14 6:56 ` Eli Zaretskii @ 2012-10-14 18:14 ` Paul Eggert 2012-10-14 18:39 ` Eli Zaretskii 0 siblings, 1 reply; 47+ messages in thread From: Paul Eggert @ 2012-10-14 18:14 UTC (permalink / raw) To: Eli Zaretskii; +Cc: 12632 [-- Attachment #1: Type: text/plain, Size: 7053 bytes --] On 10/13/2012 11:56 PM, Eli Zaretskii wrote: > This won't compile on Windows, since there's no 'euidaccess' (yet). Thanks, that should be easy enough to fix, so I gave it a whirl (patch below). > Emacs should be able to test whether a file exists even if it > will be unable to access it later. Emacs cannot do that. What 'access' does is ask, "If Emacs were to issue the seteuid system call, and change the effective user ID to the real user ID, would Emacs then be able to see that the file exists?" This does not test whether the file exists; it tests only whether Emacs could see that the file exists in a hypothetical situation that never actually happens (because Emacs never issues the seteuid system call). But this isn't what is wanted here: what is wanted is a test whether Emacs can currently see that the file exists, and that is what euidaccess does. > In any case, using 'euidaccess' here subtly changes the semantics of > file-exists-p Currently file-exists-p uses 'stat', and 'euidaccess' uses the same access check that 'stat' does -- they both use the effective uid. So the semantics aren't changing here. >> > 'dir' can't be nil there. > file-name-directory can return nil It's an absolute file name, so file-name-directory can't return nil. (This point is moot now, since the patch doesn't remove the unnecessary NILP check.) Here's the incremental patch to add euidaccess to Windows. I'm attaching the entire revised patch, relative to trunk bzr 110544. === modified file 'nt/ChangeLog' --- nt/ChangeLog 2012-10-08 14:14:22 +0000 +++ nt/ChangeLog 2012-10-14 18:06:01 +0000 @@ -1,3 +1,9 @@ +2012-10-14 Paul Eggert <eggert@cs.ucla.edu> + + Use euidaccess, not access, when checking file permissions (Bug#12632). + * inc/ms-w32.h (euidaccess): Define this, not 'access', since + the mainline code now uses euidaccess. + 2012-10-08 Juanma Barranquero <lekktu@gmail.com> * config.nt: Sync with autogen/config.in. === modified file 'nt/inc/ms-w32.h' --- nt/inc/ms-w32.h 2012-09-30 21:36:42 +0000 +++ nt/inc/ms-w32.h 2012-10-14 18:06:01 +0000 @@ -160,8 +160,6 @@ #endif /* Calls that are emulated or shadowed. */ -#undef access -#define access sys_access #undef chdir #define chdir sys_chdir #undef chmod @@ -176,6 +174,7 @@ #define dup sys_dup #undef dup2 #define dup2 sys_dup2 +#define euidaccess sys_access #define fopen sys_fopen #define link sys_link #define localtime sys_localtime === modified file 'src/ChangeLog' --- src/ChangeLog 2012-10-14 06:02:52 +0000 +++ src/ChangeLog 2012-10-14 18:06:01 +0000 @@ -5,14 +5,13 @@ (LIBES): Use it. * callproc.c (init_callproc): * charset.c (init_charset): - * fileio.c (check_existing) [!DOS_NT]: - (check_executable) [!DOS_NT && !HAVE_EUIDACCESS]: + * fileio.c (check_existing, check_executable): * lread.c (openp, load_path_check): * process.c (allocate_pty): * xrdb.c (file_p): Use euidaccess, not access. Use symbolic names instead of integers for the flags, as they're portable now. - * fileio.c (Ffile_readable_p) [!DOS_NT && !macintosh]: + * fileio.c (Ffile_readable_p): Use euidaccess, not stat + open + close. (file_directory_p): New function, which uses 'stat' on most places but 'access' (for efficiency) if WINDOWSNT. @@ -21,6 +20,7 @@ * lread.c (openp): When opening a file, use fstat rather than stat, as that avoids a permissions race. When not opening a file, use file_directory_p rather than stat. + * msdos.c (init_environment, readlink): Use sys_access, not access. 2012-10-13 Jan Djärv <jan.h.d@swipnet.se> === modified file 'src/fileio.c' --- src/fileio.c 2012-10-14 06:02:52 +0000 +++ src/fileio.c 2012-10-14 18:06:01 +0000 @@ -2424,16 +2424,7 @@ bool check_existing (const char *filename) { -#ifdef DOS_NT - /* The full emulation of Posix 'stat' is too expensive on - DOS/Windows, when all we want to know is whether the file exists. - So we use 'access' instead, which is much more lightweight. */ - /* FIXME: an euidaccess implementation should be added to the - DOS/Windows ports and this #ifdef branch should be removed. */ - return (access (filename, F_OK) >= 0); -#else return euidaccess (filename, F_OK) == 0; -#endif } /* Return true if file FILENAME exists and can be executed. */ @@ -2441,16 +2432,7 @@ static bool check_executable (char *filename) { -#ifdef DOS_NT - /* FIXME: an euidaccess implementation should be added to the - DOS/Windows ports and this #ifdef branch should be removed. */ - struct stat st; - if (stat (filename, &st) < 0) - return 0; - return ((st.st_mode & S_IEXEC) != 0); -#else /* not DOS_NT */ return euidaccess (filename, X_OK) == 0; -#endif /* not DOS_NT */ } /* Return true if file FILENAME exists and can be written. */ @@ -2546,16 +2528,7 @@ return call2 (handler, Qfile_readable_p, absname); absname = ENCODE_FILE (absname); - -#if defined (DOS_NT) || defined (macintosh) - /* FIXME: an euidaccess implementation should be added to the - DOS/Windows ports and this #ifdef branch should be removed. */ - if (access (SDATA (absname), 0) == 0) - return Qt; - return Qnil; -#else /* not DOS_NT and not macintosh */ return euidaccess (SSDATA (absname), R_OK) == 0 ? Qt : Qnil; -#endif /* not DOS_NT and not macintosh */ } /* Having this before file-symlink-p mysteriously caused it to be forgotten @@ -2592,7 +2565,7 @@ /* The read-only attribute of the parent directory doesn't affect whether a file or directory can be created within it. Some day we should check ACLs though, which do affect this. */ - return (access (SDATA (dir), D_OK) < 0) ? Qnil : Qt; + return file_directory_p (SDATA (dir)) ? Qt : Qnil; #else return (check_writable (!NILP (dir) ? SSDATA (dir) : "") ? Qt : Qnil); @@ -2694,8 +2667,8 @@ file_directory_p (char const *file) { #ifdef WINDOWSNT - /* 'access' is cheaper than 'stat'. */ - return access (file, D_OK) == 0; + /* This is cheaper than 'stat'. */ + return euidaccess (file, D_OK) == 0; #else struct stat st; return stat (file, &st) == 0 && S_ISDIR (st.st_mode); === modified file 'src/msdos.c' --- src/msdos.c 2012-09-23 08:44:20 +0000 +++ src/msdos.c 2012-10-14 18:06:01 +0000 @@ -3557,7 +3557,7 @@ read-only filesystem, like CD-ROM or a write-protected floppy. The only way to be really sure is to actually create a file and see if it succeeds. But I think that's too much to ask. */ - if (tmp && access (tmp, D_OK) == 0) + if (tmp && sys_access (tmp, D_OK) == 0) { setenv ("TMPDIR", tmp, 1); break; @@ -3935,7 +3935,7 @@ readlink (const char *name, char *dummy1, size_t dummy2) { /* `access' is much faster than `stat' on MS-DOS. */ - if (access (name, F_OK) == 0) + if (sys_access (name, F_OK) == 0) errno = EINVAL; return -1; } [-- Attachment #2: euidaccess.txt --] [-- Type: text/plain, Size: 49280 bytes --] === modified file 'ChangeLog' --- ChangeLog 2012-10-11 11:29:47 +0000 +++ ChangeLog 2012-10-14 06:03:50 +0000 @@ -1,3 +1,12 @@ +2012-10-14 Paul Eggert <eggert@cs.ucla.edu> + + Use euidaccess, not access, when checking file permissions (Bug#12632). + * configure.ac (euidaccess): Remove check; gnulib does this for us now. + * lib/euidaccess.c, lib/getgroups.c, lib/group-member.c: + * lib/root-uid.h, lib/xalloc-oversized.h, m4/euidaccess.m4: + * m4/getgroups.m4, m4/group-member.m4: New files, from gnulib. + * lib/gnulib.mk, m4/gnulib-comp.m4: Regenerate. + 2012-10-11 Kenichi Handa <handa@gnu.org> * .bzrignore: Add several files under admin/charsets. === modified file 'admin/ChangeLog' --- admin/ChangeLog 2012-10-14 08:01:30 +0000 +++ admin/ChangeLog 2012-10-14 18:08:30 +0000 @@ -1,3 +1,9 @@ +2012-10-14 Paul Eggert <eggert@cs.ucla.edu> + + Use euidaccess, not access, when checking file permissions (Bug#12632). + * merge-gnulib (GNULIB_MODULES): Add euidaccess. + (GNULIB_TOOL_FLAGS): Avoid malloc-posix. + 2012-10-12 Kenichi Handa <handa@gnu.org> * charsets/Makefile (JISC6226.map): Add missing mappings. === modified file 'admin/merge-gnulib' --- admin/merge-gnulib 2012-09-27 01:06:23 +0000 +++ admin/merge-gnulib 2012-10-12 23:28:31 +0000 @@ -28,7 +28,7 @@ GNULIB_MODULES=' alloca-opt c-ctype c-strcase careadlinkat crypto/md5 crypto/sha1 crypto/sha256 crypto/sha512 - dtoastr dtotimespec dup2 environ execinfo + dtoastr dtotimespec dup2 environ euidaccess execinfo filemode getloadavg getopt-gnu gettime gettimeofday ignore-value intprops largefile lstat manywarnings mktime pselect pthread_sigmask readlink @@ -40,7 +40,7 @@ GNULIB_TOOL_FLAGS=' --avoid=errno --avoid=fcntl --avoid=fcntl-h --avoid=fstat - --avoid=msvc-inval --avoid=msvc-nothrow + --avoid=malloc-posix --avoid=msvc-inval --avoid=msvc-nothrow --avoid=raise --avoid=select --avoid=sigprocmask --avoid=sys_types --avoid=threadlib --conditional-dependencies --import --no-changelog --no-vc-files === modified file 'configure.ac' --- configure.ac 2012-10-08 16:09:00 +0000 +++ configure.ac 2012-10-12 23:28:31 +0000 @@ -2872,7 +2872,7 @@ AC_CHECK_FUNCS(gethostname \ closedir getrusage get_current_dir_name \ lrand48 setsid \ -fpathconf select euidaccess getpagesize setlocale \ +fpathconf select getpagesize setlocale \ utimes getrlimit setrlimit setpgid getcwd shutdown getaddrinfo \ __fpending strsignal setitimer \ sendto recvfrom getsockname getpeername getifaddrs freeifaddrs \ === added file 'lib/euidaccess.c' --- lib/euidaccess.c 1970-01-01 00:00:00 +0000 +++ lib/euidaccess.c 2012-10-12 23:28:31 +0000 @@ -0,0 +1,221 @@ +/* euidaccess -- check if effective user id can access file + + Copyright (C) 1990-1991, 1995, 1998, 2000, 2003-2006, 2008-2012 Free + Software Foundation, Inc. + + This file is part of the GNU C Library. + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. */ + +/* Written by David MacKenzie and Torbjorn Granlund. + Adapted for GNU C library by Roland McGrath. */ + +#ifndef _LIBC +# include <config.h> +#endif + +#include <fcntl.h> +#include <sys/types.h> +#include <sys/stat.h> +#include <unistd.h> + +#include "root-uid.h" + +#if HAVE_LIBGEN_H +# include <libgen.h> +#endif + +#include <errno.h> +#ifndef __set_errno +# define __set_errno(val) errno = (val) +#endif + +#if defined EACCES && !defined EACCESS +# define EACCESS EACCES +#endif + +#ifndef F_OK +# define F_OK 0 +# define X_OK 1 +# define W_OK 2 +# define R_OK 4 +#endif + + +#ifdef _LIBC + +# define access __access +# define getuid __getuid +# define getgid __getgid +# define geteuid __geteuid +# define getegid __getegid +# define group_member __group_member +# define euidaccess __euidaccess +# undef stat +# define stat stat64 + +#endif + +/* Return 0 if the user has permission of type MODE on FILE; + otherwise, return -1 and set 'errno'. + Like access, except that it uses the effective user and group + id's instead of the real ones, and it does not always check for read-only + file system, text busy, etc. */ + +int +euidaccess (const char *file, int mode) +{ +#if HAVE_FACCESSAT /* glibc, AIX 7, Solaris 11, Cygwin 1.7 */ + return faccessat (AT_FDCWD, file, mode, AT_EACCESS); +#elif defined EFF_ONLY_OK /* IRIX, OSF/1, Interix */ + return access (file, mode | EFF_ONLY_OK); +#elif defined ACC_SELF /* AIX */ + return accessx (file, mode, ACC_SELF); +#elif HAVE_EACCESS /* FreeBSD */ + return eaccess (file, mode); +#else /* Mac OS X, NetBSD, OpenBSD, HP-UX, Solaris, Cygwin, mingw, BeOS */ + + uid_t uid = getuid (); + gid_t gid = getgid (); + uid_t euid = geteuid (); + gid_t egid = getegid (); + struct stat stats; + +# if HAVE_DECL_SETREGID && PREFER_NONREENTRANT_EUIDACCESS + + /* Define PREFER_NONREENTRANT_EUIDACCESS if you prefer euidaccess to + return the correct result even if this would make it + nonreentrant. Define this only if your entire application is + safe even if the uid or gid might temporarily change. If your + application uses signal handlers or threads it is probably not + safe. */ + + if (mode == F_OK) + return stat (file, &stats); + else + { + int result; + int saved_errno; + + if (uid != euid) + setreuid (euid, uid); + if (gid != egid) + setregid (egid, gid); + + result = access (file, mode); + saved_errno = errno; + + /* Restore them. */ + if (uid != euid) + setreuid (uid, euid); + if (gid != egid) + setregid (gid, egid); + + errno = saved_errno; + return result; + } + +# else + + /* The following code assumes the traditional Unix model, and is not + correct on systems that have ACLs or the like. However, it's + better than nothing, and it is reentrant. */ + + unsigned int granted; + if (uid == euid && gid == egid) + /* If we are not set-uid or set-gid, access does the same. */ + return access (file, mode); + + if (stat (file, &stats) != 0) + return -1; + + /* The super-user can read and write any file, and execute any file + that anyone can execute. */ + if (euid == ROOT_UID + && ((mode & X_OK) == 0 + || (stats.st_mode & (S_IXUSR | S_IXGRP | S_IXOTH)))) + return 0; + + /* Convert the mode to traditional form, clearing any bogus bits. */ + if (R_OK == 4 && W_OK == 2 && X_OK == 1 && F_OK == 0) + mode &= 7; + else + mode = ((mode & R_OK ? 4 : 0) + + (mode & W_OK ? 2 : 0) + + (mode & X_OK ? 1 : 0)); + + if (mode == 0) + return 0; /* The file exists. */ + + /* Convert the file's permission bits to traditional form. */ + if (S_IRUSR == (4 << 6) && S_IWUSR == (2 << 6) && S_IXUSR == (1 << 6) + && S_IRGRP == (4 << 3) && S_IWGRP == (2 << 3) && S_IXGRP == (1 << 3) + && S_IROTH == (4 << 0) && S_IWOTH == (2 << 0) && S_IXOTH == (1 << 0)) + granted = stats.st_mode; + else + granted = ((stats.st_mode & S_IRUSR ? 4 << 6 : 0) + + (stats.st_mode & S_IWUSR ? 2 << 6 : 0) + + (stats.st_mode & S_IXUSR ? 1 << 6 : 0) + + (stats.st_mode & S_IRGRP ? 4 << 3 : 0) + + (stats.st_mode & S_IWGRP ? 2 << 3 : 0) + + (stats.st_mode & S_IXGRP ? 1 << 3 : 0) + + (stats.st_mode & S_IROTH ? 4 << 0 : 0) + + (stats.st_mode & S_IWOTH ? 2 << 0 : 0) + + (stats.st_mode & S_IXOTH ? 1 << 0 : 0)); + + if (euid == stats.st_uid) + granted >>= 6; + else if (egid == stats.st_gid || group_member (stats.st_gid)) + granted >>= 3; + + if ((mode & ~granted) == 0) + return 0; + __set_errno (EACCESS); + return -1; + +# endif +#endif +} +#undef euidaccess +#ifdef weak_alias +weak_alias (__euidaccess, euidaccess) +#endif +\f +#ifdef TEST +# include <error.h> +# include <stdio.h> +# include <stdlib.h> + +char *program_name; + +int +main (int argc, char **argv) +{ + char *file; + int mode; + int err; + + program_name = argv[0]; + if (argc < 3) + abort (); + file = argv[1]; + mode = atoi (argv[2]); + + err = euidaccess (file, mode); + printf ("%d\n", err); + if (err != 0) + error (0, errno, "%s", file); + exit (0); +} +#endif === added file 'lib/getgroups.c' --- lib/getgroups.c 1970-01-01 00:00:00 +0000 +++ lib/getgroups.c 2012-10-12 23:28:31 +0000 @@ -0,0 +1,116 @@ +/* provide consistent interface to getgroups for systems that don't allow N==0 + + Copyright (C) 1996, 1999, 2003, 2006-2012 Free Software Foundation, Inc. + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. */ + +/* written by Jim Meyering */ + +#include <config.h> + +#include <unistd.h> + +#include <errno.h> +#include <stdlib.h> +#include <stdint.h> + +#if !HAVE_GETGROUPS + +/* Provide a stub that fails with ENOSYS, since there is no group + information available on mingw. */ +int +getgroups (int n _GL_UNUSED, GETGROUPS_T *groups _GL_UNUSED) +{ + errno = ENOSYS; + return -1; +} + +#else /* HAVE_GETGROUPS */ + +# undef getgroups +# ifndef GETGROUPS_ZERO_BUG +# define GETGROUPS_ZERO_BUG 0 +# endif + +/* On at least Ultrix 4.3 and NextStep 3.2, getgroups (0, NULL) always + fails. On other systems, it returns the number of supplemental + groups for the process. This function handles that special case + and lets the system-provided function handle all others. However, + it can fail with ENOMEM if memory is tight. It is unspecified + whether the effective group id is included in the list. */ + +int +rpl_getgroups (int n, gid_t *group) +{ + int n_groups; + GETGROUPS_T *gbuf; + int saved_errno; + + if (n < 0) + { + errno = EINVAL; + return -1; + } + + if (n != 0 || !GETGROUPS_ZERO_BUG) + { + int result; + if (sizeof *group == sizeof *gbuf) + return getgroups (n, (GETGROUPS_T *) group); + + if (SIZE_MAX / sizeof *gbuf <= n) + { + errno = ENOMEM; + return -1; + } + gbuf = malloc (n * sizeof *gbuf); + if (!gbuf) + return -1; + result = getgroups (n, gbuf); + if (0 <= result) + { + n = result; + while (n--) + group[n] = gbuf[n]; + } + saved_errno = errno; + free (gbuf); + errno == saved_errno; + return result; + } + + n = 20; + while (1) + { + /* No need to worry about address arithmetic overflow here, + since the ancient systems that we're running on have low + limits on the number of secondary groups. */ + gbuf = malloc (n * sizeof *gbuf); + if (!gbuf) + return -1; + n_groups = getgroups (n, gbuf); + if (n_groups == -1 ? errno != EINVAL : n_groups < n) + break; + free (gbuf); + n *= 2; + } + + saved_errno = errno; + free (gbuf); + errno = saved_errno; + + return n_groups; +} + +#endif /* HAVE_GETGROUPS */ === modified file 'lib/gnulib.mk' --- lib/gnulib.mk 2012-10-04 07:15:42 +0000 +++ lib/gnulib.mk 2012-10-12 23:28:31 +0000 @@ -21,7 +21,7 @@ # the same distribution terms as the rest of that program. # # Generated by gnulib-tool. -# Reproduce by: gnulib-tool --import --dir=. --lib=libgnu --source-base=lib --m4-base=m4 --doc-base=doc --tests-base=tests --aux-dir=build-aux --avoid=errno --avoid=fcntl --avoid=fcntl-h --avoid=fstat --avoid=msvc-inval --avoid=msvc-nothrow --avoid=raise --avoid=select --avoid=sigprocmask --avoid=sys_types --avoid=threadlib --makefile-name=gnulib.mk --conditional-dependencies --no-libtool --macro-prefix=gl --no-vc-files alloca-opt c-ctype c-strcase careadlinkat crypto/md5 crypto/sha1 crypto/sha256 crypto/sha512 dtoastr dtotimespec dup2 environ execinfo filemode getloadavg getopt-gnu gettime gettimeofday ignore-value intprops largefile lstat manywarnings mktime pselect pthread_sigmask readlink socklen stat-time stdalign stdarg stdbool stdio strftime strtoimax strtoumax symlink sys_stat sys_time time timer-time timespec-add timespec-sub utimens warnings +# Reproduce by: gnulib-tool --import --dir=. --lib=libgnu --source-base=lib --m4-base=m4 --doc-base=doc --tests-base=tests --aux-dir=build-aux --avoid=errno --avoid=fcntl --avoid=fcntl-h --avoid=fstat --avoid=malloc-posix --avoid=msvc-inval --avoid=msvc-nothrow --avoid=raise --avoid=select --avoid=sigprocmask --avoid=sys_types --avoid=threadlib --makefile-name=gnulib.mk --conditional-dependencies --no-libtool --macro-prefix=gl --no-vc-files alloca-opt c-ctype c-strcase careadlinkat crypto/md5 crypto/sha1 crypto/sha256 crypto/sha512 dtoastr dtotimespec dup2 environ euidaccess execinfo filemode getloadavg getopt-gnu gettime gettimeofday ignore-value intprops largefile lstat manywarnings mktime pselect pthread_sigmask readlink socklen stat-time stdalign stdarg stdbool stdio strftime strtoimax strtoumax symlink sys_stat sys_time time timer-time timespec-add timespec-sub utimens warnings MOSTLYCLEANFILES += core *.stackdump @@ -150,6 +150,15 @@ ## end gnulib module dup2 +## begin gnulib module euidaccess + + +EXTRA_DIST += euidaccess.c + +EXTRA_libgnu_a_SOURCES += euidaccess.c + +## end gnulib module euidaccess + ## begin gnulib module execinfo BUILT_SOURCES += $(EXECINFO_H) @@ -183,6 +192,17 @@ ## end gnulib module filemode +## begin gnulib module getgroups + +if gl_GNULIB_ENABLED_getgroups + +endif +EXTRA_DIST += getgroups.c + +EXTRA_libgnu_a_SOURCES += getgroups.c + +## end gnulib module getgroups + ## begin gnulib module getloadavg @@ -242,6 +262,17 @@ ## end gnulib module gettimeofday +## begin gnulib module group-member + +if gl_GNULIB_ENABLED_a9786850e999ae65a836a6041e8e5ed1 + +endif +EXTRA_DIST += group-member.c + +EXTRA_libgnu_a_SOURCES += group-member.c + +## end gnulib module group-member + ## begin gnulib module ignore-value @@ -354,6 +385,13 @@ ## end gnulib module readlink +## begin gnulib module root-uid + + +EXTRA_DIST += root-uid.h + +## end gnulib module root-uid + ## begin gnulib module signal-h BUILT_SOURCES += signal.h @@ -1312,6 +1350,15 @@ ## end gnulib module verify +## begin gnulib module xalloc-oversized + +if gl_GNULIB_ENABLED_682e609604ccaac6be382e4ee3a4eaec + +endif +EXTRA_DIST += xalloc-oversized.h + +## end gnulib module xalloc-oversized + mostlyclean-local: mostlyclean-generic @for dir in '' $(MOSTLYCLEANDIRS); do \ === added file 'lib/group-member.c' --- lib/group-member.c 1970-01-01 00:00:00 +0000 +++ lib/group-member.c 2012-10-12 23:28:31 +0000 @@ -0,0 +1,119 @@ +/* group-member.c -- determine whether group id is in calling user's group list + + Copyright (C) 1994, 1997-1998, 2003, 2005-2006, 2009-2012 Free Software + Foundation, Inc. + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. */ + +#include <config.h> + +/* Specification. */ +#include <unistd.h> + +#include <stdio.h> +#include <sys/types.h> +#include <stdlib.h> + +#include "xalloc-oversized.h" + +/* Most processes have no more than this many groups, and for these + processes we can avoid using malloc. */ +enum { GROUPBUF_SIZE = 100 }; + +struct group_info + { + gid_t *group; + gid_t groupbuf[GROUPBUF_SIZE]; + }; + +static void +free_group_info (struct group_info const *g) +{ + if (g->group != g->groupbuf) + free (g->group); +} + +static int +get_group_info (struct group_info *gi) +{ + int n_groups = getgroups (GROUPBUF_SIZE, gi->groupbuf); + gi->group = gi->groupbuf; + + if (n_groups < 0) + { + int n_group_slots = getgroups (0, NULL); + if (0 <= n_group_slots + && ! xalloc_oversized (n_group_slots, sizeof *gi->group)) + { + gi->group = malloc (n_group_slots * sizeof *gi->group); + if (gi->group) + n_groups = getgroups (n_group_slots, gi->group); + } + } + + /* In case of error, the user loses. */ + return n_groups; +} + +/* Return non-zero if GID is one that we have in our groups list. + Note that the groups list is not guaranteed to contain the current + or effective group ID, so they should generally be checked + separately. */ + +int +group_member (gid_t gid) +{ + int i; + int found; + struct group_info gi; + int n_groups = get_group_info (&gi); + + /* Search through the list looking for GID. */ + found = 0; + for (i = 0; i < n_groups; i++) + { + if (gid == gi.group[i]) + { + found = 1; + break; + } + } + + free_group_info (&gi); + + return found; +} + +#ifdef TEST + +char *program_name; + +int +main (int argc, char **argv) +{ + int i; + + program_name = argv[0]; + + for (i = 1; i < argc; i++) + { + gid_t gid; + + gid = atoi (argv[i]); + printf ("%d: %s\n", gid, group_member (gid) ? "yes" : "no"); + } + exit (0); +} + +#endif /* TEST */ === added file 'lib/root-uid.h' --- lib/root-uid.h 1970-01-01 00:00:00 +0000 +++ lib/root-uid.h 2012-10-12 23:28:31 +0000 @@ -0,0 +1,30 @@ +/* The user ID that always has appropriate privileges in the POSIX sense. + + Copyright 2012 Free Software Foundation, Inc. + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. + + Written by Paul Eggert. */ + +#ifndef ROOT_UID_H_ +#define ROOT_UID_H_ + +/* The user ID that always has appropriate privileges in the POSIX sense. */ +#ifdef __TANDEM +# define ROOT_UID 65535 +#else +# define ROOT_UID 0 +#endif + +#endif === added file 'lib/xalloc-oversized.h' --- lib/xalloc-oversized.h 1970-01-01 00:00:00 +0000 +++ lib/xalloc-oversized.h 2012-10-12 23:28:31 +0000 @@ -0,0 +1,38 @@ +/* xalloc-oversized.h -- memory allocation size checking + + Copyright (C) 1990-2000, 2003-2004, 2006-2012 Free Software Foundation, Inc. + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. */ + +#ifndef XALLOC_OVERSIZED_H_ +# define XALLOC_OVERSIZED_H_ + +# include <stddef.h> + +/* Return 1 if an array of N objects, each of size S, cannot exist due + to size arithmetic overflow. S must be positive and N must be + nonnegative. This is a macro, not a function, so that it + works correctly even when SIZE_MAX < N. + + By gnulib convention, SIZE_MAX represents overflow in size + calculations, so the conservative dividend to use here is + SIZE_MAX - 1, since SIZE_MAX might represent an overflowed value. + However, malloc (SIZE_MAX) fails on all known hosts where + sizeof (ptrdiff_t) <= sizeof (size_t), so do not bother to test for + exactly-SIZE_MAX allocations on such hosts; this avoids a test and + branch when S is known to be 1. */ +# define xalloc_oversized(n, s) \ + ((size_t) (sizeof (ptrdiff_t) <= sizeof (size_t) ? -1 : -2) / (s) < (n)) + +#endif /* !XALLOC_OVERSIZED_H_ */ === added file 'm4/euidaccess.m4' --- m4/euidaccess.m4 1970-01-01 00:00:00 +0000 +++ m4/euidaccess.m4 2012-10-12 23:28:31 +0000 @@ -0,0 +1,52 @@ +# euidaccess.m4 serial 14 +dnl Copyright (C) 2002-2012 Free Software Foundation, Inc. +dnl This file is free software; the Free Software Foundation +dnl gives unlimited permission to copy and/or distribute it, +dnl with or without modifications, as long as this notice is preserved. + +AC_DEFUN([gl_FUNC_NONREENTRANT_EUIDACCESS], +[ + AC_REQUIRE([gl_FUNC_EUIDACCESS]) + AC_DEFINE([PREFER_NONREENTRANT_EUIDACCESS], [1], + [Define this if you prefer euidaccess to return the correct result + even if this would make it nonreentrant. Define this only if your + entire application is safe even if the uid or gid might temporarily + change. If your application uses signal handlers or threads it + is probably not safe.]) +]) + +AC_DEFUN([gl_FUNC_EUIDACCESS], +[ + AC_REQUIRE([gl_UNISTD_H_DEFAULTS]) + + dnl Persuade glibc <unistd.h> to declare euidaccess(). + AC_REQUIRE([AC_USE_SYSTEM_EXTENSIONS]) + + AC_CHECK_FUNCS([euidaccess]) + if test $ac_cv_func_euidaccess = no; then + HAVE_EUIDACCESS=0 + fi +]) + +# Prerequisites of lib/euidaccess.c. +AC_DEFUN([gl_PREREQ_EUIDACCESS], [ + dnl Prefer POSIX faccessat over non-standard euidaccess. + AC_CHECK_FUNCS_ONCE([faccessat]) + dnl Try various other non-standard fallbacks. + AC_CHECK_HEADERS_ONCE([libgen.h]) + AC_CHECK_DECLS_ONCE([setregid]) + AC_REQUIRE([AC_FUNC_GETGROUPS]) + + # Solaris 9 and 10 need -lgen to get the eaccess function. + # Save and restore LIBS so -lgen isn't added to it. Otherwise, *all* + # programs in the package would end up linked with that potentially-shared + # library, inducing unnecessary run-time overhead. + LIB_EACCESS= + AC_SUBST([LIB_EACCESS]) + gl_saved_libs=$LIBS + AC_SEARCH_LIBS([eaccess], [gen], + [test "$ac_cv_search_eaccess" = "none required" || + LIB_EACCESS=$ac_cv_search_eaccess]) + AC_CHECK_FUNCS([eaccess]) + LIBS=$gl_saved_libs +]) === added file 'm4/getgroups.m4' --- m4/getgroups.m4 1970-01-01 00:00:00 +0000 +++ m4/getgroups.m4 2012-10-12 23:28:31 +0000 @@ -0,0 +1,107 @@ +# serial 18 + +dnl From Jim Meyering. +dnl A wrapper around AC_FUNC_GETGROUPS. + +# Copyright (C) 1996-1997, 1999-2004, 2008-2012 Free Software Foundation, Inc. +# +# This file is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +m4_version_prereq([2.70], [] ,[ + +# This is taken from the following Autoconf patch: +# http://git.savannah.gnu.org/gitweb/?p=autoconf.git;a=commitdiff;h=7fbb553727ed7e0e689a17594b58559ecf3ea6e9 +AC_DEFUN([AC_FUNC_GETGROUPS], +[ + AC_REQUIRE([AC_TYPE_GETGROUPS])dnl + AC_REQUIRE([AC_TYPE_SIZE_T])dnl + AC_REQUIRE([AC_CANONICAL_HOST])dnl for cross-compiles + AC_CHECK_FUNC([getgroups]) + + # If we don't yet have getgroups, see if it's in -lbsd. + # This is reported to be necessary on an ITOS 3000WS running SEIUX 3.1. + ac_save_LIBS=$LIBS + if test $ac_cv_func_getgroups = no; then + AC_CHECK_LIB(bsd, getgroups, [GETGROUPS_LIB=-lbsd]) + fi + + # Run the program to test the functionality of the system-supplied + # getgroups function only if there is such a function. + if test $ac_cv_func_getgroups = yes; then + AC_CACHE_CHECK([for working getgroups], [ac_cv_func_getgroups_works], + [AC_RUN_IFELSE( + [AC_LANG_PROGRAM( + [AC_INCLUDES_DEFAULT], + [[/* On Ultrix 4.3, getgroups (0, 0) always fails. */ + return getgroups (0, 0) == -1;]]) + ], + [ac_cv_func_getgroups_works=yes], + [ac_cv_func_getgroups_works=no], + [case "$host_os" in # (( + # Guess yes on glibc systems. + *-gnu*) ac_cv_func_getgroups_works="guessing yes" ;; + # If we don't know, assume the worst. + *) ac_cv_func_getgroups_works="guessing no" ;; + esac + ]) + ]) + else + ac_cv_func_getgroups_works=no + fi + case "$ac_cv_func_getgroups_works" in + *yes) + AC_DEFINE([HAVE_GETGROUPS], [1], + [Define to 1 if your system has a working `getgroups' function.]) + ;; + esac + LIBS=$ac_save_LIBS +])# AC_FUNC_GETGROUPS + +]) + +AC_DEFUN([gl_FUNC_GETGROUPS], +[ + AC_REQUIRE([AC_TYPE_GETGROUPS]) + AC_REQUIRE([gl_UNISTD_H_DEFAULTS]) + AC_REQUIRE([AC_CANONICAL_HOST]) dnl for cross-compiles + + AC_FUNC_GETGROUPS + if test $ac_cv_func_getgroups != yes; then + HAVE_GETGROUPS=0 + else + if test "$ac_cv_type_getgroups" != gid_t \ + || { case "$ac_cv_func_getgroups_works" in + *yes) false;; + *) true;; + esac + }; then + REPLACE_GETGROUPS=1 + AC_DEFINE([GETGROUPS_ZERO_BUG], [1], [Define this to 1 if + getgroups(0,NULL) does not return the number of groups.]) + else + dnl Detect FreeBSD bug; POSIX requires getgroups(-1,ptr) to fail. + AC_CACHE_CHECK([whether getgroups handles negative values], + [gl_cv_func_getgroups_works], + [AC_RUN_IFELSE([AC_LANG_PROGRAM([AC_INCLUDES_DEFAULT], + [[int size = getgroups (0, 0); + gid_t *list = malloc (size * sizeof *list); + return getgroups (-1, list) != -1;]])], + [gl_cv_func_getgroups_works=yes], + [gl_cv_func_getgroups_works=no], + [case "$host_os" in + # Guess yes on glibc systems. + *-gnu*) gl_cv_func_getgroups_works="guessing yes" ;; + # If we don't know, assume the worst. + *) gl_cv_func_getgroups_works="guessing no" ;; + esac + ])]) + case "$gl_cv_func_getgroups_works" in + *yes) ;; + *) REPLACE_GETGROUPS=1 ;; + esac + fi + fi + test -n "$GETGROUPS_LIB" && LIBS="$GETGROUPS_LIB $LIBS" +]) === modified file 'm4/gnulib-comp.m4' --- m4/gnulib-comp.m4 2012-09-27 01:06:23 +0000 +++ m4/gnulib-comp.m4 2012-10-12 23:28:31 +0000 @@ -53,17 +53,20 @@ # Code from module dtotimespec: # Code from module dup2: # Code from module environ: + # Code from module euidaccess: # Code from module execinfo: # Code from module extensions: AC_REQUIRE([gl_USE_SYSTEM_EXTENSIONS]) # Code from module extern-inline: # Code from module filemode: + # Code from module getgroups: # Code from module getloadavg: # Code from module getopt-gnu: # Code from module getopt-posix: # Code from module gettext-h: # Code from module gettime: # Code from module gettimeofday: + # Code from module group-member: # Code from module ignore-value: # Code from module include_next: # Code from module intprops: @@ -79,6 +82,7 @@ # Code from module pselect: # Code from module pthread_sigmask: # Code from module readlink: + # Code from module root-uid: # Code from module signal-h: # Code from module snippet/_Noreturn: # Code from module snippet/arg-nonnull: @@ -120,6 +124,7 @@ # Code from module utimens: # Code from module verify: # Code from module warnings: + # Code from module xalloc-oversized: ]) # This macro should be invoked from ./configure.ac, in the section @@ -154,6 +159,12 @@ gl_UNISTD_MODULE_INDICATOR([dup2]) gl_ENVIRON gl_UNISTD_MODULE_INDICATOR([environ]) + gl_FUNC_EUIDACCESS + if test $HAVE_EUIDACCESS = 0; then + AC_LIBOBJ([euidaccess]) + gl_PREREQ_EUIDACCESS + fi + gl_UNISTD_MODULE_INDICATOR([euidaccess]) gl_EXECINFO_H AC_REQUIRE([gl_EXTERN_INLINE]) gl_FILEMODE @@ -269,18 +280,32 @@ gl_UNISTD_H gl_UTIMENS gl_gnulib_enabled_dosname=false + gl_gnulib_enabled_getgroups=false gl_gnulib_enabled_be453cec5eecf5731a274f2de7f2db36=false + gl_gnulib_enabled_a9786850e999ae65a836a6041e8e5ed1=false gl_gnulib_enabled_pathmax=false gl_gnulib_enabled_stat=false gl_gnulib_enabled_strtoll=false gl_gnulib_enabled_strtoull=false gl_gnulib_enabled_verify=false + gl_gnulib_enabled_682e609604ccaac6be382e4ee3a4eaec=false func_gl_gnulib_m4code_dosname () { if ! $gl_gnulib_enabled_dosname; then gl_gnulib_enabled_dosname=true fi } + func_gl_gnulib_m4code_getgroups () + { + if ! $gl_gnulib_enabled_getgroups; then + gl_FUNC_GETGROUPS + if test $HAVE_GETGROUPS = 0 || test $REPLACE_GETGROUPS = 1; then + AC_LIBOBJ([getgroups]) + fi + gl_UNISTD_MODULE_INDICATOR([getgroups]) + gl_gnulib_enabled_getgroups=true + fi + } func_gl_gnulib_m4code_be453cec5eecf5731a274f2de7f2db36 () { if ! $gl_gnulib_enabled_be453cec5eecf5731a274f2de7f2db36; then @@ -289,6 +314,24 @@ gl_gnulib_enabled_be453cec5eecf5731a274f2de7f2db36=true fi } + func_gl_gnulib_m4code_a9786850e999ae65a836a6041e8e5ed1 () + { + if ! $gl_gnulib_enabled_a9786850e999ae65a836a6041e8e5ed1; then + gl_FUNC_GROUP_MEMBER + if test $HAVE_GROUP_MEMBER = 0; then + AC_LIBOBJ([group-member]) + gl_PREREQ_GROUP_MEMBER + fi + gl_UNISTD_MODULE_INDICATOR([group-member]) + gl_gnulib_enabled_a9786850e999ae65a836a6041e8e5ed1=true + if test $HAVE_GROUP_MEMBER = 0; then + func_gl_gnulib_m4code_getgroups + fi + if test $HAVE_GROUP_MEMBER = 0; then + func_gl_gnulib_m4code_682e609604ccaac6be382e4ee3a4eaec + fi + fi + } func_gl_gnulib_m4code_pathmax () { if ! $gl_gnulib_enabled_pathmax; then @@ -347,6 +390,18 @@ gl_gnulib_enabled_verify=true fi } + func_gl_gnulib_m4code_682e609604ccaac6be382e4ee3a4eaec () + { + if ! $gl_gnulib_enabled_682e609604ccaac6be382e4ee3a4eaec; then + gl_gnulib_enabled_682e609604ccaac6be382e4ee3a4eaec=true + fi + } + if test $HAVE_EUIDACCESS = 0; then + func_gl_gnulib_m4code_a9786850e999ae65a836a6041e8e5ed1 + fi + if test $HAVE_EUIDACCESS = 0; then + func_gl_gnulib_m4code_stat + fi if test $REPLACE_GETOPT = 1; then func_gl_gnulib_m4code_be453cec5eecf5731a274f2de7f2db36 fi @@ -373,12 +428,15 @@ fi m4_pattern_allow([^gl_GNULIB_ENABLED_]) AM_CONDITIONAL([gl_GNULIB_ENABLED_dosname], [$gl_gnulib_enabled_dosname]) + AM_CONDITIONAL([gl_GNULIB_ENABLED_getgroups], [$gl_gnulib_enabled_getgroups]) AM_CONDITIONAL([gl_GNULIB_ENABLED_be453cec5eecf5731a274f2de7f2db36], [$gl_gnulib_enabled_be453cec5eecf5731a274f2de7f2db36]) + AM_CONDITIONAL([gl_GNULIB_ENABLED_a9786850e999ae65a836a6041e8e5ed1], [$gl_gnulib_enabled_a9786850e999ae65a836a6041e8e5ed1]) AM_CONDITIONAL([gl_GNULIB_ENABLED_pathmax], [$gl_gnulib_enabled_pathmax]) AM_CONDITIONAL([gl_GNULIB_ENABLED_stat], [$gl_gnulib_enabled_stat]) AM_CONDITIONAL([gl_GNULIB_ENABLED_strtoll], [$gl_gnulib_enabled_strtoll]) AM_CONDITIONAL([gl_GNULIB_ENABLED_strtoull], [$gl_gnulib_enabled_strtoull]) AM_CONDITIONAL([gl_GNULIB_ENABLED_verify], [$gl_gnulib_enabled_verify]) + AM_CONDITIONAL([gl_GNULIB_ENABLED_682e609604ccaac6be382e4ee3a4eaec], [$gl_gnulib_enabled_682e609604ccaac6be382e4ee3a4eaec]) # End of code from modules m4_ifval(gl_LIBSOURCES_LIST, [ m4_syscmd([test ! -d ]m4_defn([gl_LIBSOURCES_DIR])[ || @@ -538,12 +596,14 @@ lib/dtoastr.c lib/dtotimespec.c lib/dup2.c + lib/euidaccess.c lib/execinfo.c lib/execinfo.in.h lib/filemode.c lib/filemode.h lib/ftoastr.c lib/ftoastr.h + lib/getgroups.c lib/getloadavg.c lib/getopt.c lib/getopt.in.h @@ -552,6 +612,7 @@ lib/gettext.h lib/gettime.c lib/gettimeofday.c + lib/group-member.c lib/ignore-value.h lib/intprops.h lib/inttypes.in.h @@ -564,6 +625,7 @@ lib/pselect.c lib/pthread_sigmask.c lib/readlink.c + lib/root-uid.h lib/sha1.c lib/sha1.h lib/sha256.c @@ -605,21 +667,25 @@ lib/utimens.c lib/utimens.h lib/verify.h + lib/xalloc-oversized.h m4/00gnulib.m4 m4/alloca.m4 m4/c-strtod.m4 m4/clock_time.m4 m4/dup2.m4 m4/environ.m4 + m4/euidaccess.m4 m4/execinfo.m4 m4/extensions.m4 m4/extern-inline.m4 m4/filemode.m4 + m4/getgroups.m4 m4/getloadavg.m4 m4/getopt.m4 m4/gettime.m4 m4/gettimeofday.m4 m4/gnulib-common.m4 + m4/group-member.m4 m4/include_next.m4 m4/inttypes.m4 m4/largefile.m4 === added file 'm4/group-member.m4' --- m4/group-member.m4 1970-01-01 00:00:00 +0000 +++ m4/group-member.m4 2012-10-12 23:28:31 +0000 @@ -0,0 +1,29 @@ +# serial 14 + +# Copyright (C) 1999-2001, 2003-2007, 2009-2012 Free Software Foundation, Inc. + +# This file is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +dnl Written by Jim Meyering + +AC_DEFUN([gl_FUNC_GROUP_MEMBER], +[ + AC_REQUIRE([gl_UNISTD_H_DEFAULTS]) + + dnl Persuade glibc <unistd.h> to declare group_member(). + AC_REQUIRE([AC_USE_SYSTEM_EXTENSIONS]) + + dnl Do this replacement check manually because I want the hyphen + dnl (not the underscore) in the filename. + AC_CHECK_FUNC([group_member], , [ + HAVE_GROUP_MEMBER=0 + ]) +]) + +# Prerequisites of lib/group-member.c. +AC_DEFUN([gl_PREREQ_GROUP_MEMBER], +[ + AC_REQUIRE([AC_FUNC_GETGROUPS]) +]) === modified file 'nt/ChangeLog' --- nt/ChangeLog 2012-10-08 14:14:22 +0000 +++ nt/ChangeLog 2012-10-14 18:06:01 +0000 @@ -1,3 +1,9 @@ +2012-10-14 Paul Eggert <eggert@cs.ucla.edu> + + Use euidaccess, not access, when checking file permissions (Bug#12632). + * inc/ms-w32.h (euidaccess): Define this, not 'access', since + the mainline code now uses euidaccess. + 2012-10-08 Juanma Barranquero <lekktu@gmail.com> * config.nt: Sync with autogen/config.in. === modified file 'nt/inc/ms-w32.h' --- nt/inc/ms-w32.h 2012-09-30 21:36:42 +0000 +++ nt/inc/ms-w32.h 2012-10-14 18:06:01 +0000 @@ -160,8 +160,6 @@ #endif /* Calls that are emulated or shadowed. */ -#undef access -#define access sys_access #undef chdir #define chdir sys_chdir #undef chmod @@ -176,6 +174,7 @@ #define dup sys_dup #undef dup2 #define dup2 sys_dup2 +#define euidaccess sys_access #define fopen sys_fopen #define link sys_link #define localtime sys_localtime === modified file 'src/ChangeLog' --- src/ChangeLog 2012-10-14 00:17:07 +0000 +++ src/ChangeLog 2012-10-14 18:06:01 +0000 @@ -1,3 +1,27 @@ +2012-10-14 Paul Eggert <eggert@cs.ucla.edu> + + Use euidaccess, not access, when checking file permissions (Bug#12632). + * Makefile.in (LIB_EACCESS): New macro. + (LIBES): Use it. + * callproc.c (init_callproc): + * charset.c (init_charset): + * fileio.c (check_existing, check_executable): + * lread.c (openp, load_path_check): + * process.c (allocate_pty): + * xrdb.c (file_p): + Use euidaccess, not access. Use symbolic names instead of integers + for the flags, as they're portable now. + * fileio.c (Ffile_readable_p): + Use euidaccess, not stat + open + close. + (file_directory_p): New function, which uses 'stat' on most places + but 'access' (for efficiency) if WINDOWSNT. + (Ffile_directory_p): Use it. + * lisp.h (file_directory_p): New decl. + * lread.c (openp): When opening a file, use fstat rather than + stat, as that avoids a permissions race. When not opening a file, + use file_directory_p rather than stat. + * msdos.c (init_environment, readlink): Use sys_access, not access. + 2012-10-13 Jan Djärv <jan.h.d@swipnet.se> * gtkutil.c (xg_set_widget_bg): Divide by 65535 (Bug#12612). === modified file 'src/Makefile.in' --- src/Makefile.in 2012-10-08 12:53:18 +0000 +++ src/Makefile.in 2012-10-13 01:49:41 +0000 @@ -150,6 +150,7 @@ M17N_FLT_LIBS = @M17N_FLT_LIBS@ LIB_CLOCK_GETTIME=@LIB_CLOCK_GETTIME@ +LIB_EACCESS=@LIB_EACCESS@ LIB_TIMER_TIME=@LIB_TIMER_TIME@ DBUS_CFLAGS = @DBUS_CFLAGS@ @@ -392,7 +393,7 @@ LIBES = $(LIBS) $(W32_LIBS) $(LIBX_BASE) $(LIBIMAGE) \ $(LIBX_OTHER) $(LIBSOUND) \ $(RSVG_LIBS) $(IMAGEMAGICK_LIBS) $(LIB_CLOCK_GETTIME) \ - $(LIB_TIMER_TIME) $(DBUS_LIBS) \ + $(LIB_EACCESS) $(LIB_TIMER_TIME) $(DBUS_LIBS) \ $(LIB_EXECINFO) \ $(LIBXML2_LIBS) $(LIBGPM) $(LIBRESOLV) $(LIBS_SYSTEM) \ $(LIBS_TERMCAP) $(GETLOADAVG_LIBS) $(SETTINGS_LIBS) $(LIBSELINUX_LIBS) \ === modified file 'src/callproc.c' --- src/callproc.c 2012-09-23 22:25:22 +0000 +++ src/callproc.c 2012-10-12 23:28:31 +0000 @@ -1597,13 +1597,13 @@ #endif { tempdir = Fdirectory_file_name (Vexec_directory); - if (access (SSDATA (tempdir), 0) < 0) + if (euidaccess (SSDATA (tempdir), F_OK) < 0) dir_warning ("Warning: arch-dependent data dir (%s) does not exist.\n", Vexec_directory); } tempdir = Fdirectory_file_name (Vdata_directory); - if (access (SSDATA (tempdir), 0) < 0) + if (euidaccess (SSDATA (tempdir), F_OK) < 0) dir_warning ("Warning: arch-independent data dir (%s) does not exist.\n", Vdata_directory); === modified file 'src/charset.c' --- src/charset.c 2012-10-01 06:36:54 +0000 +++ src/charset.c 2012-10-12 23:28:31 +0000 @@ -2293,7 +2293,7 @@ { Lisp_Object tempdir; tempdir = Fexpand_file_name (build_string ("charsets"), Vdata_directory); - if (access (SSDATA (tempdir), 0) < 0) + if (euidaccess (SSDATA (tempdir), F_OK) != 0) { /* This used to be non-fatal (dir_warning), but it should not happen, and if it does sooner or later it will cause some === modified file 'src/fileio.c' --- src/fileio.c 2012-10-13 08:55:26 +0000 +++ src/fileio.c 2012-10-14 18:06:01 +0000 @@ -2424,15 +2424,7 @@ bool check_existing (const char *filename) { -#ifdef DOS_NT - /* The full emulation of Posix 'stat' is too expensive on - DOS/Windows, when all we want to know is whether the file exists. - So we use 'access' instead, which is much more lightweight. */ - return (access (filename, F_OK) >= 0); -#else - struct stat st; - return (stat (filename, &st) >= 0); -#endif + return euidaccess (filename, F_OK) == 0; } /* Return true if file FILENAME exists and can be executed. */ @@ -2440,21 +2432,7 @@ static bool check_executable (char *filename) { -#ifdef DOS_NT - struct stat st; - if (stat (filename, &st) < 0) - return 0; - return ((st.st_mode & S_IEXEC) != 0); -#else /* not DOS_NT */ -#ifdef HAVE_EUIDACCESS - return (euidaccess (filename, 1) >= 0); -#else - /* Access isn't quite right because it uses the real uid - and we really want to test with the effective uid. - But Unix doesn't give us a right way to do it. */ - return (access (filename, 1) >= 0); -#endif -#endif /* not DOS_NT */ + return euidaccess (filename, X_OK) == 0; } /* Return true if file FILENAME exists and can be written. */ @@ -2463,13 +2441,14 @@ check_writable (const char *filename) { #ifdef MSDOS + /* FIXME: an euidaccess implementation should be added to the + DOS/Windows ports and this #ifdef branch should be removed. */ struct stat st; if (stat (filename, &st) < 0) return 0; return (st.st_mode & S_IWRITE || S_ISDIR (st.st_mode)); #else /* not MSDOS */ -#ifdef HAVE_EUIDACCESS - bool res = (euidaccess (filename, 2) >= 0); + bool res = euidaccess (filename, W_OK) == 0; #ifdef CYGWIN /* euidaccess may have returned failure because Cygwin couldn't determine the file's UID or GID; if so, we return success. */ @@ -2482,14 +2461,6 @@ } #endif /* CYGWIN */ return res; -#else /* not HAVE_EUIDACCESS */ - /* Access isn't quite right because it uses the real uid - and we really want to test with the effective uid. - But Unix doesn't give us a right way to do it. - Opening with O_WRONLY could work for an ordinary file, - but would lose for directories. */ - return (access (filename, 2) >= 0); -#endif /* not HAVE_EUIDACCESS */ #endif /* not MSDOS */ } @@ -2546,9 +2517,6 @@ { Lisp_Object absname; Lisp_Object handler; - int desc; - int flags; - struct stat statbuf; CHECK_STRING (filename); absname = Fexpand_file_name (filename, Qnil); @@ -2560,31 +2528,7 @@ return call2 (handler, Qfile_readable_p, absname); absname = ENCODE_FILE (absname); - -#if defined (DOS_NT) || defined (macintosh) - /* Under MS-DOS, Windows, and Macintosh, open does not work for - directories. */ - if (access (SDATA (absname), 0) == 0) - return Qt; - return Qnil; -#else /* not DOS_NT and not macintosh */ - flags = O_RDONLY; -#ifdef O_NONBLOCK - /* Opening a fifo without O_NONBLOCK can wait. - We don't want to wait. But we don't want to mess wth O_NONBLOCK - except in the case of a fifo, on a system which handles it. */ - desc = stat (SSDATA (absname), &statbuf); - if (desc < 0) - return Qnil; - if (S_ISFIFO (statbuf.st_mode)) - flags |= O_NONBLOCK; -#endif - desc = emacs_open (SSDATA (absname), flags, 0); - if (desc < 0) - return Qnil; - emacs_close (desc); - return Qt; -#endif /* not DOS_NT and not macintosh */ + return euidaccess (SSDATA (absname), R_OK) == 0 ? Qt : Qnil; } /* Having this before file-symlink-p mysteriously caused it to be forgotten @@ -2621,7 +2565,7 @@ /* The read-only attribute of the parent directory doesn't affect whether a file or directory can be created within it. Some day we should check ACLs though, which do affect this. */ - return (access (SDATA (dir), D_OK) < 0) ? Qnil : Qt; + return file_directory_p (SDATA (dir)) ? Qt : Qnil; #else return (check_writable (!NILP (dir) ? SSDATA (dir) : "") ? Qt : Qnil); @@ -2702,8 +2646,7 @@ See `file-symlink-p' to distinguish symlinks. */) (Lisp_Object filename) { - register Lisp_Object absname; - struct stat st; + Lisp_Object absname; Lisp_Object handler; absname = expand_and_dir_to_file (filename, BVAR (current_buffer, directory)); @@ -2716,9 +2659,20 @@ absname = ENCODE_FILE (absname); - if (stat (SSDATA (absname), &st) < 0) - return Qnil; - return S_ISDIR (st.st_mode) ? Qt : Qnil; + return file_directory_p (SSDATA (absname)) ? Qt : Qnil; +} + +/* Return true if FILE is a directory or a symlink to a directory. */ +bool +file_directory_p (char const *file) +{ +#ifdef WINDOWSNT + /* This is cheaper than 'stat'. */ + return euidaccess (file, D_OK) == 0; +#else + struct stat st; + return stat (file, &st) == 0 && S_ISDIR (st.st_mode); +#endif } DEFUN ("file-accessible-directory-p", Ffile_accessible_directory_p, === modified file 'src/lisp.h' --- src/lisp.h 2012-10-12 15:19:54 +0000 +++ src/lisp.h 2012-10-14 06:00:40 +0000 @@ -3179,6 +3179,7 @@ extern Lisp_Object restore_point_unwind (Lisp_Object); extern _Noreturn void report_file_error (const char *, Lisp_Object); extern void internal_delete_file (Lisp_Object); +extern bool file_directory_p (const char *); extern void syms_of_fileio (void); extern Lisp_Object make_temp_name (Lisp_Object, bool); extern Lisp_Object Qdelete_file; === modified file 'src/lread.c' --- src/lread.c 2012-10-12 15:19:54 +0000 +++ src/lread.c 2012-10-14 06:00:40 +0000 @@ -1404,7 +1404,7 @@ If SUFFIXES is non-nil, it should be a list of suffixes to append to file name when searching. If non-nil, PREDICATE is used instead of `file-readable-p'. -PREDICATE can also be an integer to pass to the access(2) function, +PREDICATE can also be an integer to pass to the euidaccess(2) function, in which case file-name-handlers are ignored. This function will normally skip directories, so if you want it to find directories, make sure the PREDICATE function returns `dir-ok' for them. */) @@ -1442,7 +1442,6 @@ int openp (Lisp_Object path, Lisp_Object str, Lisp_Object suffixes, Lisp_Object *storeptr, Lisp_Object predicate) { - int fd; ptrdiff_t fn_size = 100; char buf[100]; char *fn = buf; @@ -1497,7 +1496,6 @@ { ptrdiff_t fnlen, lsuffix = SBYTES (XCAR (tail)); Lisp_Object handler; - bool exists; /* Concatenate path element/specified name with the suffix. If the directory starts with /:, remove that. */ @@ -1521,6 +1519,7 @@ handler = Ffind_file_name_handler (string, Qfile_exists_p); if ((!NILP (handler) || !NILP (predicate)) && !NATNUMP (predicate)) { + bool exists; if (NILP (predicate)) exists = !NILP (Ffile_readable_p (string)); else @@ -1542,37 +1541,38 @@ } else { -#ifndef WINDOWSNT - struct stat st; -#endif + int fd; const char *pfn; encoded_fn = ENCODE_FILE (string); pfn = SSDATA (encoded_fn); -#ifdef WINDOWSNT - exists = access (pfn, F_OK) == 0 && access (pfn, D_OK) < 0; -#else - exists = (stat (pfn, &st) == 0 && ! S_ISDIR (st.st_mode)); -#endif - if (exists) + + /* Check that we can access or open it. */ + if (NATNUMP (predicate)) + fd = (((XFASTINT (predicate) & ~INT_MAX) == 0 + && euidaccess (pfn, XFASTINT (predicate)) == 0 + && ! file_directory_p (pfn)) + ? 1 : -1); + else { - /* Check that we can access or open it. */ - if (NATNUMP (predicate)) - fd = (((XFASTINT (predicate) & ~INT_MAX) == 0 - && access (pfn, XFASTINT (predicate)) == 0) - ? 1 : -1); - else - fd = emacs_open (pfn, O_RDONLY, 0); - - if (fd >= 0) + struct stat st; + fd = emacs_open (pfn, O_RDONLY, 0); + if (0 <= fd + && (fstat (fd, &st) != 0 || S_ISDIR (st.st_mode))) { - /* We succeeded; return this descriptor and filename. */ - if (storeptr) - *storeptr = string; - UNGCPRO; - return fd; + emacs_close (fd); + fd = -1; } } + + if (fd >= 0) + { + /* We succeeded; return this descriptor and filename. */ + if (storeptr) + *storeptr = string; + UNGCPRO; + return fd; + } } } if (absolute) @@ -4088,7 +4088,7 @@ if (STRINGP (dirfile)) { dirfile = Fdirectory_file_name (dirfile); - if (access (SSDATA (dirfile), 0) < 0) + if (euidaccess (SSDATA (dirfile), F_OK) != 0) dir_warning ("Warning: Lisp directory `%s' does not exist.\n", XCAR (path_tail)); } === modified file 'src/msdos.c' --- src/msdos.c 2012-09-23 08:44:20 +0000 +++ src/msdos.c 2012-10-14 18:06:01 +0000 @@ -3557,7 +3557,7 @@ read-only filesystem, like CD-ROM or a write-protected floppy. The only way to be really sure is to actually create a file and see if it succeeds. But I think that's too much to ask. */ - if (tmp && access (tmp, D_OK) == 0) + if (tmp && sys_access (tmp, D_OK) == 0) { setenv ("TMPDIR", tmp, 1); break; @@ -3935,7 +3935,7 @@ readlink (const char *name, char *dummy1, size_t dummy2) { /* `access' is much faster than `stat' on MS-DOS. */ - if (access (name, F_OK) == 0) + if (sys_access (name, F_OK) == 0) errno = EINVAL; return -1; } === modified file 'src/process.c' --- src/process.c 2012-10-13 00:52:01 +0000 +++ src/process.c 2012-10-13 00:55:20 +0000 @@ -663,7 +663,7 @@ #else sprintf (pty_name, "/dev/tty%c%x", c, i); #endif /* no PTY_TTY_NAME_SPRINTF */ - if (access (pty_name, 6) != 0) + if (euidaccess (pty_name, R_OK | W_OK) != 0) { emacs_close (fd); # ifndef __sgi === modified file 'src/xrdb.c' --- src/xrdb.c 2012-09-15 07:06:56 +0000 +++ src/xrdb.c 2012-10-12 23:28:31 +0000 @@ -268,7 +268,7 @@ { struct stat status; - return (access (filename, 4) == 0 /* exists and is readable */ + return (euidaccess (filename, R_OK) == 0 /* exists and is readable */ && stat (filename, &status) == 0 /* get the status */ && (S_ISDIR (status.st_mode)) == 0); /* not a directory */ } ^ permalink raw reply [flat|nested] 47+ messages in thread
* bug#12632: file permissions checking mishandled when setuid 2012-10-14 18:14 ` Paul Eggert @ 2012-10-14 18:39 ` Eli Zaretskii 2012-10-14 19:42 ` Paul Eggert 0 siblings, 1 reply; 47+ messages in thread From: Eli Zaretskii @ 2012-10-14 18:39 UTC (permalink / raw) To: Paul Eggert; +Cc: 12632 > Date: Sun, 14 Oct 2012 11:14:39 -0700 > From: Paul Eggert <eggert@cs.ucla.edu> > CC: 12632@debbugs.gnu.org > > > Emacs should be able to test whether a file exists even if it > > will be unable to access it later. > > Emacs cannot do that. What 'access' does is ask, "If Emacs were > to issue the seteuid system call, and change the effective user > ID to the real user ID, would Emacs then be able to see that the > file exists?" This does not test whether the file exists; it tests > only whether Emacs could see that the file exists in a hypothetical > situation that never actually happens (because Emacs never issues > the seteuid system call). But this isn't what is wanted here: > what is wanted is a test whether Emacs can currently see that the > file exists, and that is what euidaccess does. I can't argue with you, because you seem to bring arguments out of some inner knowledge. The 'access' man page simply says this: F_OK tests for the existence of the file. It says nothing about granting any permissions (unlike when it describes R_OK, W_OK, and X_OK). > === modified file 'src/msdos.c' > --- src/msdos.c 2012-09-23 08:44:20 +0000 > +++ src/msdos.c 2012-10-14 18:06:01 +0000 > @@ -3557,7 +3557,7 @@ > read-only filesystem, like CD-ROM or a write-protected floppy. > The only way to be really sure is to actually create a file and > see if it succeeds. But I think that's too much to ask. */ > - if (tmp && access (tmp, D_OK) == 0) > + if (tmp && sys_access (tmp, D_OK) == 0) > { > setenv ("TMPDIR", tmp, 1); > break; > @@ -3935,7 +3935,7 @@ > readlink (const char *name, char *dummy1, size_t dummy2) > { > /* `access' is much faster than `stat' on MS-DOS. */ > - if (access (name, F_OK) == 0) > + if (sys_access (name, F_OK) == 0) > errno = EINVAL; > return -1; > } This part is wrong: the MSDOS build doesn't have sys_access, and there's nothing wrong with its library's 'access' that would justify such a replacement. Only the MS-Windows build needs 'sys_access'. ^ permalink raw reply [flat|nested] 47+ messages in thread
* bug#12632: file permissions checking mishandled when setuid 2012-10-14 18:39 ` Eli Zaretskii @ 2012-10-14 19:42 ` Paul Eggert 2012-10-14 20:10 ` Eli Zaretskii 2012-10-14 20:17 ` Eli Zaretskii 0 siblings, 2 replies; 47+ messages in thread From: Paul Eggert @ 2012-10-14 19:42 UTC (permalink / raw) To: Eli Zaretskii; +Cc: 12632 On 10/14/2012 11:39 AM, Eli Zaretskii wrote: > The 'access' man page simply says this: > > F_OK tests for the existence of the file. > > It says nothing about granting any permissions (unlike when it > describes R_OK, W_OK, and X_OK). One always needs search permissions when resolving file names, no matter what the context, and the 'access' man page doesn't bother to document that. Here's an example to illustrate. Compile the following program on a GNUish host and put it into a file 'a.out'. #define _GNU_SOURCE #include <stdio.h> #include <unistd.h> #include <sys/stat.h> static void try (char const *file) { struct stat st; printf ("%8d %12d %11d %s\n", access (file, F_OK), euidaccess (file, F_OK), stat (file, &st), file); } int main (int argc, char **argv) { printf ("access(F_OK) euidaccess(F_OK) stat() filename\n"); while (*++argv) try (*argv); return 0; } Now, make a.out setuid and owned by someone else, and set up an environment where you're trying to access files in directories that you cannot search, but the other guy can. For example: $ sudo chown games a.out $ sudo chmod u+s a.out $ mkdir -m 700 eggert games uucp $ touch eggert/foo games/foo uucp/foo $ sudo chown games games $ sudo chown uucp uucp $ sudo ls -ld a.out eggert eggert/foo games games/foo uucp uucp/foo -rwsr-sr-x. 1 games root 7440 Oct 14 12:21 a.out drwx------. 2 eggert root 4096 Oct 14 12:15 eggert ----------. 1 root root 0 Oct 14 12:15 eggert/foo drwx------. 2 games root 4096 Oct 14 12:15 games ----------. 1 root root 0 Oct 14 12:15 games/foo drwx------. 2 uucp root 4096 Oct 14 12:22 uucp -rw-r--r--. 1 root root 0 Oct 14 12:22 uucp/foo $ ls -ld a.out eggert eggert/foo games games/foo uucp uucp/foo ls: cannot access games/foo: Permission denied ls: cannot access uucp/foo: Permission denied -rwsr-sr-x. 1 games root 7440 Oct 14 12:21 a.out drwx------. 2 eggert root 4096 Oct 14 12:15 eggert ----------. 1 root root 0 Oct 14 12:15 eggert/foo drwx------. 2 games root 4096 Oct 14 12:15 games drwx------. 2 uucp root 4096 Oct 14 12:22 uucp $ ./a.out eggert eggert/foo games games/foo uucp uucp/foo access(F_OK) euidaccess(F_OK) stat() filename 0 0 0 eggert 0 -1 -1 eggert/foo 0 0 0 games -1 0 0 games/foo 0 0 0 uucp -1 -1 -1 uucp/foo euidaccess always agrees with ls and with stat, whereas access does not. We want the semantics of ls and of stat and of euidaccess, not the semantics of access. > This part is wrong: the MSDOS build doesn't have sys_access OK, thanks, I'll leave that part out. ^ permalink raw reply [flat|nested] 47+ messages in thread
* bug#12632: file permissions checking mishandled when setuid 2012-10-14 19:42 ` Paul Eggert @ 2012-10-14 20:10 ` Eli Zaretskii 2012-10-14 20:17 ` Eli Zaretskii 1 sibling, 0 replies; 47+ messages in thread From: Eli Zaretskii @ 2012-10-14 20:10 UTC (permalink / raw) To: Paul Eggert; +Cc: 12632 > Date: Sun, 14 Oct 2012 12:42:40 -0700 > From: Paul Eggert <eggert@cs.ucla.edu> > CC: 12632@debbugs.gnu.org > > On 10/14/2012 11:39 AM, Eli Zaretskii wrote: > > The 'access' man page simply says this: > > > > F_OK tests for the existence of the file. > > > > It says nothing about granting any permissions (unlike when it > > describes R_OK, W_OK, and X_OK). > > One always needs search permissions when resolving file names You are talking about the directories leading to the file. I was talking about the file itself. ^ permalink raw reply [flat|nested] 47+ messages in thread
* bug#12632: file permissions checking mishandled when setuid 2012-10-14 19:42 ` Paul Eggert 2012-10-14 20:10 ` Eli Zaretskii @ 2012-10-14 20:17 ` Eli Zaretskii 2012-10-14 20:40 ` Paul Eggert 1 sibling, 1 reply; 47+ messages in thread From: Eli Zaretskii @ 2012-10-14 20:17 UTC (permalink / raw) To: Paul Eggert; +Cc: 12632 > Date: Sun, 14 Oct 2012 12:42:40 -0700 > From: Paul Eggert <eggert@cs.ucla.edu> > CC: 12632@debbugs.gnu.org > > $ ./a.out eggert eggert/foo games games/foo uucp uucp/foo > access(F_OK) euidaccess(F_OK) stat() filename > 0 0 0 eggert > 0 -1 -1 eggert/foo > 0 0 0 games > -1 0 0 games/foo > 0 0 0 uucp > -1 -1 -1 uucp/foo > > euidaccess always agrees with ls and with stat, whereas > access does not. If euidaccess always agrees with stat, why does it make sense to switch check_existing to using euidaccess, which is much less portable and non-standard function, requiring yet another bunch of imports from gnulib? ^ permalink raw reply [flat|nested] 47+ messages in thread
* bug#12632: file permissions checking mishandled when setuid 2012-10-14 20:17 ` Eli Zaretskii @ 2012-10-14 20:40 ` Paul Eggert 2012-10-14 20:53 ` Eli Zaretskii 0 siblings, 1 reply; 47+ messages in thread From: Paul Eggert @ 2012-10-14 20:40 UTC (permalink / raw) To: Eli Zaretskii; +Cc: 12632 On 10/14/2012 01:17 PM, Eli Zaretskii wrote: > If euidaccess always agrees with stat, why does it make sense to > switch check_existing to using euidaccess euidaccess always agrees with 'stat' with respect to access checks, but there are other reasons that 'stat' could fail, e.g., on a file that is too large for 'stat' to represent the size. In cases such as these, we want euidaccess here, because euidaccess shouldn't fail for these other reasons. > You are talking about the directories leading to the file. I was > talking about the file itself. OK, but in this context it doesn't make sense to talk about just the file itself, since the file is being accessed via a name, and one needs proper permissions to use the name. For both access and euidaccess, the F_OK check means "I don't care about the permissions about the file itself; all I care about are the permissions on the file's name", as far as permissions are concerned. ^ permalink raw reply [flat|nested] 47+ messages in thread
* bug#12632: file permissions checking mishandled when setuid 2012-10-14 20:40 ` Paul Eggert @ 2012-10-14 20:53 ` Eli Zaretskii 2012-10-15 6:17 ` Paul Eggert 0 siblings, 1 reply; 47+ messages in thread From: Eli Zaretskii @ 2012-10-14 20:53 UTC (permalink / raw) To: Paul Eggert; +Cc: 12632 > Date: Sun, 14 Oct 2012 13:40:52 -0700 > From: Paul Eggert <eggert@cs.ucla.edu> > CC: 12632@debbugs.gnu.org > > On 10/14/2012 01:17 PM, Eli Zaretskii wrote: > > If euidaccess always agrees with stat, why does it make sense to > > switch check_existing to using euidaccess > > euidaccess always agrees with 'stat' with respect to access checks, > but there are other reasons that 'stat' could fail, e.g., > on a file that is too large for 'stat' to represent the size. That sounds like a very weak reason to switch to a non-portable API, especially since Emacs will be unable to do anything with such imaginary files anyway. And gnulib's euidaccess will also fail for them in most non-trivial cases, because it calls stat. ^ permalink raw reply [flat|nested] 47+ messages in thread
* bug#12632: file permissions checking mishandled when setuid 2012-10-14 20:53 ` Eli Zaretskii @ 2012-10-15 6:17 ` Paul Eggert 2012-10-15 17:31 ` Eli Zaretskii 0 siblings, 1 reply; 47+ messages in thread From: Paul Eggert @ 2012-10-15 6:17 UTC (permalink / raw) To: Eli Zaretskii; +Cc: 12632 [-- Attachment #1: Type: text/plain, Size: 664 bytes --] On 10/14/2012 01:53 PM, Eli Zaretskii wrote: > That sounds like a very weak reason to switch to a non-portable API Since the main objection here seems to be using the non-portable function euidaccess, I changed the patch to use faccessat instead. faccessat, unlike euidaccess, is standardized by POSIX; it's a tad more-complicated to use but it is standard and it's no doubt a better solution in the long run anyway. The patch uses the Gnulib substitute for faccessat for obsolescent POSIXish hosts that lack faccessat. For Windows the patch simply reworks the existing substitute for 'access' so that it implements faccessat instead. Revised patch attached. [-- Attachment #2: faccessat.txt --] [-- Type: text/plain, Size: 75350 bytes --] === modified file '.bzrignore' --- .bzrignore 2012-10-11 11:26:26 +0000 +++ .bzrignore 2012-10-15 06:05:46 +0000 @@ -87,6 +87,7 @@ lib/arg-nonnull.h lib/c++defs.h lib/execinfo.h +lib/fcntl.h lib/getopt.h lib/inttypes.h lib/stdalign.h === modified file 'ChangeLog' --- ChangeLog 2012-10-11 11:29:47 +0000 +++ ChangeLog 2012-10-15 06:05:46 +0000 @@ -1,3 +1,16 @@ +2012-10-15 Paul Eggert <eggert@cs.ucla.edu> + + Use faccessat, not access, when checking file permissions (Bug#12632). + * .bzrignore: Add lib/fcntl.h. + * configure.ac (euidaccess): Remove check; gnulib does this for us now. + (gl_FCNTL_O_FLAGS): Define a dummy version. + * lib/at-func.c, lib/euidaccess.c, lib/faccessat.c, lib/fcntl.in.h: + * lib/getgroups.c, lib/group-member.c, lib/root-uid.h: + * lib/xalloc-oversized.h, m4/euidaccess.m4, m4/faccessat.m4: + * m4/fcntl_h.m4, m4/getgroups.m4, m4/group-member.m4: + New files, from gnulib. + * lib/gnulib.mk, m4/gnulib-comp.m4: Regenerate. + 2012-10-11 Kenichi Handa <handa@gnu.org> * .bzrignore: Add several files under admin/charsets. === modified file 'admin/ChangeLog' --- admin/ChangeLog 2012-10-14 08:01:30 +0000 +++ admin/ChangeLog 2012-10-15 06:05:46 +0000 @@ -1,3 +1,11 @@ +2012-10-14 Paul Eggert <eggert@cs.ucla.edu> + + Use faccessat, not access, when checking file permissions (Bug#12632). + * merge-gnulib (GNULIB_MODULES): Add faccessat. + (GNULIB_TOOL_FLAGS): Avoid at-internal, fchdir, malloc-posix, + openat-die, openat-h, save-cwd. Do not avoid fcntl-h. + Omit gnulib's m4/fcntl-o.m4. + 2012-10-12 Kenichi Handa <handa@gnu.org> * charsets/Makefile (JISC6226.map): Add missing mappings. === modified file 'admin/merge-gnulib' --- admin/merge-gnulib 2012-09-27 01:06:23 +0000 +++ admin/merge-gnulib 2012-10-15 06:05:46 +0000 @@ -28,7 +28,7 @@ GNULIB_MODULES=' alloca-opt c-ctype c-strcase careadlinkat crypto/md5 crypto/sha1 crypto/sha256 crypto/sha512 - dtoastr dtotimespec dup2 environ execinfo + dtoastr dtotimespec dup2 environ execinfo faccessat filemode getloadavg getopt-gnu gettime gettimeofday ignore-value intprops largefile lstat manywarnings mktime pselect pthread_sigmask readlink @@ -39,9 +39,12 @@ ' GNULIB_TOOL_FLAGS=' - --avoid=errno --avoid=fcntl --avoid=fcntl-h --avoid=fstat - --avoid=msvc-inval --avoid=msvc-nothrow - --avoid=raise --avoid=select --avoid=sigprocmask --avoid=sys_types + --avoid=at-internal + --avoid=errno --avoid=fchdir --avoid=fcntl --avoid=fstat + --avoid=malloc-posix --avoid=msvc-inval --avoid=msvc-nothrow + --avoid=openat-die --avoid=openat-h + --avoid=raise + --avoid=save-cwd --avoid=select --avoid=sigprocmask --avoid=sys_types --avoid=threadlib --conditional-dependencies --import --no-changelog --no-vc-files --makefile-name=gnulib.mk @@ -85,7 +88,7 @@ } "$gnulib_srcdir"/gnulib-tool --dir="$src" $GNULIB_TOOL_FLAGS $GNULIB_MODULES && -rm -- "$src"m4/gnulib-cache.m4 "$src"m4/warn-on-use.m4 && +rm -- "$src"m4/fcntl-o.m4 "$src"m4/gnulib-cache.m4 "$src"m4/warn-on-use.m4 && cp -- "$gnulib_srcdir"/build-aux/texinfo.tex "$src"doc/misc && cp -- "$gnulib_srcdir"/build-aux/move-if-change "$src"build-aux && autoreconf -i -I m4 -- ${src:+"$src"} === modified file 'configure.ac' --- configure.ac 2012-10-08 16:09:00 +0000 +++ configure.ac 2012-10-15 06:05:46 +0000 @@ -572,6 +572,8 @@ test "x$NON_GCC_TEST_OPTIONS" != x && CC="$CC $NON_GCC_TEST_OPTIONS" fi +# Avoid gnulib's tests for O_NOATIME and O_NOFOLLOW, as we don't use them. +AC_DEFUN([gl_FCNTL_O_FLAGS]) # Avoid gnulib's threadlib module, as we do threads our own way. AC_DEFUN([gl_THREADLIB]) @@ -2872,7 +2874,7 @@ AC_CHECK_FUNCS(gethostname \ closedir getrusage get_current_dir_name \ lrand48 setsid \ -fpathconf select euidaccess getpagesize setlocale \ +fpathconf select getpagesize setlocale \ utimes getrlimit setrlimit setpgid getcwd shutdown getaddrinfo \ __fpending strsignal setitimer \ sendto recvfrom getsockname getpeername getifaddrs freeifaddrs \ === added file 'lib/at-func.c' --- lib/at-func.c 1970-01-01 00:00:00 +0000 +++ lib/at-func.c 2012-10-15 06:05:46 +0000 @@ -0,0 +1,146 @@ +/* Define at-style functions like fstatat, unlinkat, fchownat, etc. + Copyright (C) 2006, 2009-2012 Free Software Foundation, Inc. + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. */ + +/* written by Jim Meyering */ + +#include "dosname.h" /* solely for definition of IS_ABSOLUTE_FILE_NAME */ + +#ifdef GNULIB_SUPPORT_ONLY_AT_FDCWD +# include <errno.h> +# ifndef ENOTSUP +# define ENOTSUP EINVAL +# endif +#else +# include "openat.h" +# include "openat-priv.h" +# include "save-cwd.h" +#endif + +#ifdef AT_FUNC_USE_F1_COND +# define CALL_FUNC(F) \ + (flag == AT_FUNC_USE_F1_COND \ + ? AT_FUNC_F1 (F AT_FUNC_POST_FILE_ARGS) \ + : AT_FUNC_F2 (F AT_FUNC_POST_FILE_ARGS)) +# define VALIDATE_FLAG(F) \ + if (flag & ~AT_FUNC_USE_F1_COND) \ + { \ + errno = EINVAL; \ + return FUNC_FAIL; \ + } +#else +# define CALL_FUNC(F) (AT_FUNC_F1 (F AT_FUNC_POST_FILE_ARGS)) +# define VALIDATE_FLAG(F) /* empty */ +#endif + +#ifdef AT_FUNC_RESULT +# define FUNC_RESULT AT_FUNC_RESULT +#else +# define FUNC_RESULT int +#endif + +#ifdef AT_FUNC_FAIL +# define FUNC_FAIL AT_FUNC_FAIL +#else +# define FUNC_FAIL -1 +#endif + +/* Call AT_FUNC_F1 to operate on FILE, which is in the directory + open on descriptor FD. If AT_FUNC_USE_F1_COND is defined to a value, + AT_FUNC_POST_FILE_PARAM_DECLS must include a parameter named flag; + call AT_FUNC_F2 if FLAG is 0 or fail if FLAG contains more bits than + AT_FUNC_USE_F1_COND. Return int and fail with -1 unless AT_FUNC_RESULT + or AT_FUNC_FAIL are defined. If possible, do it without changing the + working directory. Otherwise, resort to using save_cwd/fchdir, + then AT_FUNC_F?/restore_cwd. If either the save_cwd or the restore_cwd + fails, then give a diagnostic and exit nonzero. */ +FUNC_RESULT +AT_FUNC_NAME (int fd, char const *file AT_FUNC_POST_FILE_PARAM_DECLS) +{ + VALIDATE_FLAG (flag); + + if (fd == AT_FDCWD || IS_ABSOLUTE_FILE_NAME (file)) + return CALL_FUNC (file); + +#ifdef GNULIB_SUPPORT_ONLY_AT_FDCWD + errno = ENOTSUP; + return FUNC_FAIL; +#else + { + /* Be careful to choose names unlikely to conflict with + AT_FUNC_POST_FILE_PARAM_DECLS. */ + struct saved_cwd saved_cwd; + int saved_errno; + FUNC_RESULT err; + + { + char proc_buf[OPENAT_BUFFER_SIZE]; + char *proc_file = openat_proc_name (proc_buf, fd, file); + if (proc_file) + { + FUNC_RESULT proc_result = CALL_FUNC (proc_file); + int proc_errno = errno; + if (proc_file != proc_buf) + free (proc_file); + /* If the syscall succeeds, or if it fails with an unexpected + errno value, then return right away. Otherwise, fall through + and resort to using save_cwd/restore_cwd. */ + if (FUNC_FAIL != proc_result) + return proc_result; + if (! EXPECTED_ERRNO (proc_errno)) + { + errno = proc_errno; + return proc_result; + } + } + } + + if (save_cwd (&saved_cwd) != 0) + openat_save_fail (errno); + if (0 <= fd && fd == saved_cwd.desc) + { + /* If saving the working directory collides with the user's + requested fd, then the user's fd must have been closed to + begin with. */ + free_cwd (&saved_cwd); + errno = EBADF; + return FUNC_FAIL; + } + + if (fchdir (fd) != 0) + { + saved_errno = errno; + free_cwd (&saved_cwd); + errno = saved_errno; + return FUNC_FAIL; + } + + err = CALL_FUNC (file); + saved_errno = (err == FUNC_FAIL ? errno : 0); + + if (restore_cwd (&saved_cwd) != 0) + openat_restore_fail (errno); + + free_cwd (&saved_cwd); + + if (saved_errno) + errno = saved_errno; + return err; + } +#endif +} +#undef CALL_FUNC +#undef FUNC_RESULT +#undef FUNC_FAIL === added file 'lib/euidaccess.c' --- lib/euidaccess.c 1970-01-01 00:00:00 +0000 +++ lib/euidaccess.c 2012-10-12 23:28:31 +0000 @@ -0,0 +1,221 @@ +/* euidaccess -- check if effective user id can access file + + Copyright (C) 1990-1991, 1995, 1998, 2000, 2003-2006, 2008-2012 Free + Software Foundation, Inc. + + This file is part of the GNU C Library. + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. */ + +/* Written by David MacKenzie and Torbjorn Granlund. + Adapted for GNU C library by Roland McGrath. */ + +#ifndef _LIBC +# include <config.h> +#endif + +#include <fcntl.h> +#include <sys/types.h> +#include <sys/stat.h> +#include <unistd.h> + +#include "root-uid.h" + +#if HAVE_LIBGEN_H +# include <libgen.h> +#endif + +#include <errno.h> +#ifndef __set_errno +# define __set_errno(val) errno = (val) +#endif + +#if defined EACCES && !defined EACCESS +# define EACCESS EACCES +#endif + +#ifndef F_OK +# define F_OK 0 +# define X_OK 1 +# define W_OK 2 +# define R_OK 4 +#endif + + +#ifdef _LIBC + +# define access __access +# define getuid __getuid +# define getgid __getgid +# define geteuid __geteuid +# define getegid __getegid +# define group_member __group_member +# define euidaccess __euidaccess +# undef stat +# define stat stat64 + +#endif + +/* Return 0 if the user has permission of type MODE on FILE; + otherwise, return -1 and set 'errno'. + Like access, except that it uses the effective user and group + id's instead of the real ones, and it does not always check for read-only + file system, text busy, etc. */ + +int +euidaccess (const char *file, int mode) +{ +#if HAVE_FACCESSAT /* glibc, AIX 7, Solaris 11, Cygwin 1.7 */ + return faccessat (AT_FDCWD, file, mode, AT_EACCESS); +#elif defined EFF_ONLY_OK /* IRIX, OSF/1, Interix */ + return access (file, mode | EFF_ONLY_OK); +#elif defined ACC_SELF /* AIX */ + return accessx (file, mode, ACC_SELF); +#elif HAVE_EACCESS /* FreeBSD */ + return eaccess (file, mode); +#else /* Mac OS X, NetBSD, OpenBSD, HP-UX, Solaris, Cygwin, mingw, BeOS */ + + uid_t uid = getuid (); + gid_t gid = getgid (); + uid_t euid = geteuid (); + gid_t egid = getegid (); + struct stat stats; + +# if HAVE_DECL_SETREGID && PREFER_NONREENTRANT_EUIDACCESS + + /* Define PREFER_NONREENTRANT_EUIDACCESS if you prefer euidaccess to + return the correct result even if this would make it + nonreentrant. Define this only if your entire application is + safe even if the uid or gid might temporarily change. If your + application uses signal handlers or threads it is probably not + safe. */ + + if (mode == F_OK) + return stat (file, &stats); + else + { + int result; + int saved_errno; + + if (uid != euid) + setreuid (euid, uid); + if (gid != egid) + setregid (egid, gid); + + result = access (file, mode); + saved_errno = errno; + + /* Restore them. */ + if (uid != euid) + setreuid (uid, euid); + if (gid != egid) + setregid (gid, egid); + + errno = saved_errno; + return result; + } + +# else + + /* The following code assumes the traditional Unix model, and is not + correct on systems that have ACLs or the like. However, it's + better than nothing, and it is reentrant. */ + + unsigned int granted; + if (uid == euid && gid == egid) + /* If we are not set-uid or set-gid, access does the same. */ + return access (file, mode); + + if (stat (file, &stats) != 0) + return -1; + + /* The super-user can read and write any file, and execute any file + that anyone can execute. */ + if (euid == ROOT_UID + && ((mode & X_OK) == 0 + || (stats.st_mode & (S_IXUSR | S_IXGRP | S_IXOTH)))) + return 0; + + /* Convert the mode to traditional form, clearing any bogus bits. */ + if (R_OK == 4 && W_OK == 2 && X_OK == 1 && F_OK == 0) + mode &= 7; + else + mode = ((mode & R_OK ? 4 : 0) + + (mode & W_OK ? 2 : 0) + + (mode & X_OK ? 1 : 0)); + + if (mode == 0) + return 0; /* The file exists. */ + + /* Convert the file's permission bits to traditional form. */ + if (S_IRUSR == (4 << 6) && S_IWUSR == (2 << 6) && S_IXUSR == (1 << 6) + && S_IRGRP == (4 << 3) && S_IWGRP == (2 << 3) && S_IXGRP == (1 << 3) + && S_IROTH == (4 << 0) && S_IWOTH == (2 << 0) && S_IXOTH == (1 << 0)) + granted = stats.st_mode; + else + granted = ((stats.st_mode & S_IRUSR ? 4 << 6 : 0) + + (stats.st_mode & S_IWUSR ? 2 << 6 : 0) + + (stats.st_mode & S_IXUSR ? 1 << 6 : 0) + + (stats.st_mode & S_IRGRP ? 4 << 3 : 0) + + (stats.st_mode & S_IWGRP ? 2 << 3 : 0) + + (stats.st_mode & S_IXGRP ? 1 << 3 : 0) + + (stats.st_mode & S_IROTH ? 4 << 0 : 0) + + (stats.st_mode & S_IWOTH ? 2 << 0 : 0) + + (stats.st_mode & S_IXOTH ? 1 << 0 : 0)); + + if (euid == stats.st_uid) + granted >>= 6; + else if (egid == stats.st_gid || group_member (stats.st_gid)) + granted >>= 3; + + if ((mode & ~granted) == 0) + return 0; + __set_errno (EACCESS); + return -1; + +# endif +#endif +} +#undef euidaccess +#ifdef weak_alias +weak_alias (__euidaccess, euidaccess) +#endif +\f +#ifdef TEST +# include <error.h> +# include <stdio.h> +# include <stdlib.h> + +char *program_name; + +int +main (int argc, char **argv) +{ + char *file; + int mode; + int err; + + program_name = argv[0]; + if (argc < 3) + abort (); + file = argv[1]; + mode = atoi (argv[2]); + + err = euidaccess (file, mode); + printf ("%d\n", err); + if (err != 0) + error (0, errno, "%s", file); + exit (0); +} +#endif === added file 'lib/faccessat.c' --- lib/faccessat.c 1970-01-01 00:00:00 +0000 +++ lib/faccessat.c 2012-10-15 06:05:46 +0000 @@ -0,0 +1,45 @@ +/* Check the access rights of a file relative to an open directory. + Copyright (C) 2009-2012 Free Software Foundation, Inc. + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. */ + +/* written by Eric Blake */ + +#include <config.h> + +#include <unistd.h> +#include <fcntl.h> + +#ifndef HAVE_ACCESS +/* Mingw lacks access, but it also lacks real vs. effective ids, so + the gnulib euidaccess module is good enough. */ +# undef access +# define access euidaccess +#endif + +/* Invoke access or euidaccess on file, FILE, using mode MODE, in the directory + open on descriptor FD. If possible, do it without changing the + working directory. Otherwise, resort to using save_cwd/fchdir, then + (access|euidaccess)/restore_cwd. If either the save_cwd or the + restore_cwd fails, then give a diagnostic and exit nonzero. + Note that this implementation only supports AT_EACCESS, although some + native versions also support AT_SYMLINK_NOFOLLOW. */ + +#define AT_FUNC_NAME faccessat +#define AT_FUNC_F1 euidaccess +#define AT_FUNC_F2 access +#define AT_FUNC_USE_F1_COND AT_EACCESS +#define AT_FUNC_POST_FILE_PARAM_DECLS , int mode, int flag +#define AT_FUNC_POST_FILE_ARGS , mode +#include "at-func.c" === added file 'lib/fcntl.in.h' --- lib/fcntl.in.h 1970-01-01 00:00:00 +0000 +++ lib/fcntl.in.h 2012-10-15 06:05:46 +0000 @@ -0,0 +1,335 @@ +/* Like <fcntl.h>, but with non-working flags defined to 0. + + Copyright (C) 2006-2012 Free Software Foundation, Inc. + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. */ + +/* written by Paul Eggert */ + +#if __GNUC__ >= 3 +@PRAGMA_SYSTEM_HEADER@ +#endif +@PRAGMA_COLUMNS@ + +#if defined __need_system_fcntl_h +/* Special invocation convention. */ + +/* Needed before <sys/stat.h>. + May also define off_t to a 64-bit type on native Windows. */ +#include <sys/types.h> +/* On some systems other than glibc, <sys/stat.h> is a prerequisite of + <fcntl.h>. On glibc systems, we would like to avoid namespace pollution. + But on glibc systems, <fcntl.h> includes <sys/stat.h> inside an + extern "C" { ... } block, which leads to errors in C++ mode with the + overridden <sys/stat.h> from gnulib. These errors are known to be gone + with g++ version >= 4.3. */ +#if !(defined __GLIBC__ || defined __UCLIBC__) || (defined __cplusplus && defined GNULIB_NAMESPACE && !(__GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 3))) +# include <sys/stat.h> +#endif +#@INCLUDE_NEXT@ @NEXT_FCNTL_H@ + +#else +/* Normal invocation convention. */ + +#ifndef _@GUARD_PREFIX@_FCNTL_H + +/* Needed before <sys/stat.h>. + May also define off_t to a 64-bit type on native Windows. */ +#include <sys/types.h> +/* On some systems other than glibc, <sys/stat.h> is a prerequisite of + <fcntl.h>. On glibc systems, we would like to avoid namespace pollution. + But on glibc systems, <fcntl.h> includes <sys/stat.h> inside an + extern "C" { ... } block, which leads to errors in C++ mode with the + overridden <sys/stat.h> from gnulib. These errors are known to be gone + with g++ version >= 4.3. */ +#if !(defined __GLIBC__ || defined __UCLIBC__) || (defined __cplusplus && defined GNULIB_NAMESPACE && !(__GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 3))) +# include <sys/stat.h> +#endif +/* The include_next requires a split double-inclusion guard. */ +#@INCLUDE_NEXT@ @NEXT_FCNTL_H@ + +#ifndef _@GUARD_PREFIX@_FCNTL_H +#define _@GUARD_PREFIX@_FCNTL_H + +#ifndef __GLIBC__ /* Avoid namespace pollution on glibc systems. */ +# include <unistd.h> +#endif + +/* Native Windows platforms declare open(), creat() in <io.h>. */ +#if (@GNULIB_OPEN@ || defined GNULIB_POSIXCHECK) \ + && ((defined _WIN32 || defined __WIN32__) && ! defined __CYGWIN__) +# include <io.h> +#endif + + +/* The definitions of _GL_FUNCDECL_RPL etc. are copied here. */ + +/* The definition of _GL_ARG_NONNULL is copied here. */ + +/* The definition of _GL_WARN_ON_USE is copied here. */ + + +/* Declare overridden functions. */ + +#if @GNULIB_FCNTL@ +# if @REPLACE_FCNTL@ +# if !(defined __cplusplus && defined GNULIB_NAMESPACE) +# undef fcntl +# define fcntl rpl_fcntl +# endif +_GL_FUNCDECL_RPL (fcntl, int, (int fd, int action, ...)); +_GL_CXXALIAS_RPL (fcntl, int, (int fd, int action, ...)); +# else +# if !@HAVE_FCNTL@ +_GL_FUNCDECL_SYS (fcntl, int, (int fd, int action, ...)); +# endif +_GL_CXXALIAS_SYS (fcntl, int, (int fd, int action, ...)); +# endif +_GL_CXXALIASWARN (fcntl); +#elif defined GNULIB_POSIXCHECK +# undef fcntl +# if HAVE_RAW_DECL_FCNTL +_GL_WARN_ON_USE (fcntl, "fcntl is not always POSIX compliant - " + "use gnulib module fcntl for portability"); +# endif +#endif + +#if @GNULIB_OPEN@ +# if @REPLACE_OPEN@ +# if !(defined __cplusplus && defined GNULIB_NAMESPACE) +# undef open +# define open rpl_open +# endif +_GL_FUNCDECL_RPL (open, int, (const char *filename, int flags, ...) + _GL_ARG_NONNULL ((1))); +_GL_CXXALIAS_RPL (open, int, (const char *filename, int flags, ...)); +# else +_GL_CXXALIAS_SYS (open, int, (const char *filename, int flags, ...)); +# endif +/* On HP-UX 11, in C++ mode, open() is defined as an inline function with a + default argument. _GL_CXXALIASWARN does not work in this case. */ +# if !defined __hpux +_GL_CXXALIASWARN (open); +# endif +#elif defined GNULIB_POSIXCHECK +# undef open +/* Assume open is always declared. */ +_GL_WARN_ON_USE (open, "open is not always POSIX compliant - " + "use gnulib module open for portability"); +#endif + +#if @GNULIB_OPENAT@ +# if @REPLACE_OPENAT@ +# if !(defined __cplusplus && defined GNULIB_NAMESPACE) +# undef openat +# define openat rpl_openat +# endif +_GL_FUNCDECL_RPL (openat, int, + (int fd, char const *file, int flags, /* mode_t mode */ ...) + _GL_ARG_NONNULL ((2))); +_GL_CXXALIAS_RPL (openat, int, + (int fd, char const *file, int flags, /* mode_t mode */ ...)); +# else +# if !@HAVE_OPENAT@ +_GL_FUNCDECL_SYS (openat, int, + (int fd, char const *file, int flags, /* mode_t mode */ ...) + _GL_ARG_NONNULL ((2))); +# endif +_GL_CXXALIAS_SYS (openat, int, + (int fd, char const *file, int flags, /* mode_t mode */ ...)); +# endif +_GL_CXXALIASWARN (openat); +#elif defined GNULIB_POSIXCHECK +# undef openat +# if HAVE_RAW_DECL_OPENAT +_GL_WARN_ON_USE (openat, "openat is not portable - " + "use gnulib module openat for portability"); +# endif +#endif + + +/* Fix up the FD_* macros, only known to be missing on mingw. */ + +#ifndef FD_CLOEXEC +# define FD_CLOEXEC 1 +#endif + +/* Fix up the supported F_* macros. Intentionally leave other F_* + macros undefined. Only known to be missing on mingw. */ + +#ifndef F_DUPFD_CLOEXEC +# define F_DUPFD_CLOEXEC 0x40000000 +/* Witness variable: 1 if gnulib defined F_DUPFD_CLOEXEC, 0 otherwise. */ +# define GNULIB_defined_F_DUPFD_CLOEXEC 1 +#else +# define GNULIB_defined_F_DUPFD_CLOEXEC 0 +#endif + +#ifndef F_DUPFD +# define F_DUPFD 1 +#endif + +#ifndef F_GETFD +# define F_GETFD 2 +#endif + +/* Fix up the O_* macros. */ + +#if !defined O_DIRECT && defined O_DIRECTIO +/* Tru64 spells it 'O_DIRECTIO'. */ +# define O_DIRECT O_DIRECTIO +#endif + +#if !defined O_CLOEXEC && defined O_NOINHERIT +/* Mingw spells it 'O_NOINHERIT'. */ +# define O_CLOEXEC O_NOINHERIT +#endif + +#ifndef O_CLOEXEC +# define O_CLOEXEC 0 +#endif + +#ifndef O_DIRECT +# define O_DIRECT 0 +#endif + +#ifndef O_DIRECTORY +# define O_DIRECTORY 0 +#endif + +#ifndef O_DSYNC +# define O_DSYNC 0 +#endif + +#ifndef O_EXEC +# define O_EXEC O_RDONLY /* This is often close enough in older systems. */ +#endif + +#ifndef O_NDELAY +# define O_NDELAY 0 +#endif + +#ifndef O_NOATIME +# define O_NOATIME 0 +#endif + +#ifndef O_NONBLOCK +# define O_NONBLOCK O_NDELAY +#endif + +/* If the gnulib module 'nonblocking' is in use, guarantee a working non-zero + value of O_NONBLOCK. Otherwise, O_NONBLOCK is defined (above) to O_NDELAY + or to 0 as fallback. */ +#if @GNULIB_NONBLOCKING@ +# if O_NONBLOCK +# define GNULIB_defined_O_NONBLOCK 0 +# else +# define GNULIB_defined_O_NONBLOCK 1 +# undef O_NONBLOCK +# define O_NONBLOCK 0x40000000 +# endif +#endif + +#ifndef O_NOCTTY +# define O_NOCTTY 0 +#endif + +#ifndef O_NOFOLLOW +# define O_NOFOLLOW 0 +#endif + +#ifndef O_NOLINKS +# define O_NOLINKS 0 +#endif + +#ifndef O_RSYNC +# define O_RSYNC 0 +#endif + +#ifndef O_SEARCH +# define O_SEARCH O_RDONLY /* This is often close enough in older systems. */ +#endif + +#ifndef O_SYNC +# define O_SYNC 0 +#endif + +#ifndef O_TTY_INIT +# define O_TTY_INIT 0 +#endif + +#if O_ACCMODE != (O_RDONLY | O_WRONLY | O_RDWR | O_EXEC | O_SEARCH) +# undef O_ACCMODE +# define O_ACCMODE (O_RDONLY | O_WRONLY | O_RDWR | O_EXEC | O_SEARCH) +#endif + +/* For systems that distinguish between text and binary I/O. + O_BINARY is usually declared in fcntl.h */ +#if !defined O_BINARY && defined _O_BINARY + /* For MSC-compatible compilers. */ +# define O_BINARY _O_BINARY +# define O_TEXT _O_TEXT +#endif + +#if defined __BEOS__ || defined __HAIKU__ + /* BeOS 5 and Haiku have O_BINARY and O_TEXT, but they have no effect. */ +# undef O_BINARY +# undef O_TEXT +#endif + +#ifndef O_BINARY +# define O_BINARY 0 +# define O_TEXT 0 +#endif + +/* Fix up the AT_* macros. */ + +/* Work around a bug in Solaris 9 and 10: AT_FDCWD is positive. Its + value exceeds INT_MAX, so its use as an int doesn't conform to the + C standard, and GCC and Sun C complain in some cases. If the bug + is present, undef AT_FDCWD here, so it can be redefined below. */ +#if 0 < AT_FDCWD && AT_FDCWD == 0xffd19553 +# undef AT_FDCWD +#endif + +/* Use the same bit pattern as Solaris 9, but with the proper + signedness. The bit pattern is important, in case this actually is + Solaris with the above workaround. */ +#ifndef AT_FDCWD +# define AT_FDCWD (-3041965) +#endif + +/* Use the same values as Solaris 9. This shouldn't matter, but + there's no real reason to differ. */ +#ifndef AT_SYMLINK_NOFOLLOW +# define AT_SYMLINK_NOFOLLOW 4096 +#endif + +#ifndef AT_REMOVEDIR +# define AT_REMOVEDIR 1 +#endif + +/* Solaris 9 lacks these two, so just pick unique values. */ +#ifndef AT_SYMLINK_FOLLOW +# define AT_SYMLINK_FOLLOW 2 +#endif + +#ifndef AT_EACCESS +# define AT_EACCESS 4 +#endif + + +#endif /* _@GUARD_PREFIX@_FCNTL_H */ +#endif /* _@GUARD_PREFIX@_FCNTL_H */ +#endif === added file 'lib/getgroups.c' --- lib/getgroups.c 1970-01-01 00:00:00 +0000 +++ lib/getgroups.c 2012-10-12 23:28:31 +0000 @@ -0,0 +1,116 @@ +/* provide consistent interface to getgroups for systems that don't allow N==0 + + Copyright (C) 1996, 1999, 2003, 2006-2012 Free Software Foundation, Inc. + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. */ + +/* written by Jim Meyering */ + +#include <config.h> + +#include <unistd.h> + +#include <errno.h> +#include <stdlib.h> +#include <stdint.h> + +#if !HAVE_GETGROUPS + +/* Provide a stub that fails with ENOSYS, since there is no group + information available on mingw. */ +int +getgroups (int n _GL_UNUSED, GETGROUPS_T *groups _GL_UNUSED) +{ + errno = ENOSYS; + return -1; +} + +#else /* HAVE_GETGROUPS */ + +# undef getgroups +# ifndef GETGROUPS_ZERO_BUG +# define GETGROUPS_ZERO_BUG 0 +# endif + +/* On at least Ultrix 4.3 and NextStep 3.2, getgroups (0, NULL) always + fails. On other systems, it returns the number of supplemental + groups for the process. This function handles that special case + and lets the system-provided function handle all others. However, + it can fail with ENOMEM if memory is tight. It is unspecified + whether the effective group id is included in the list. */ + +int +rpl_getgroups (int n, gid_t *group) +{ + int n_groups; + GETGROUPS_T *gbuf; + int saved_errno; + + if (n < 0) + { + errno = EINVAL; + return -1; + } + + if (n != 0 || !GETGROUPS_ZERO_BUG) + { + int result; + if (sizeof *group == sizeof *gbuf) + return getgroups (n, (GETGROUPS_T *) group); + + if (SIZE_MAX / sizeof *gbuf <= n) + { + errno = ENOMEM; + return -1; + } + gbuf = malloc (n * sizeof *gbuf); + if (!gbuf) + return -1; + result = getgroups (n, gbuf); + if (0 <= result) + { + n = result; + while (n--) + group[n] = gbuf[n]; + } + saved_errno = errno; + free (gbuf); + errno == saved_errno; + return result; + } + + n = 20; + while (1) + { + /* No need to worry about address arithmetic overflow here, + since the ancient systems that we're running on have low + limits on the number of secondary groups. */ + gbuf = malloc (n * sizeof *gbuf); + if (!gbuf) + return -1; + n_groups = getgroups (n, gbuf); + if (n_groups == -1 ? errno != EINVAL : n_groups < n) + break; + free (gbuf); + n *= 2; + } + + saved_errno = errno; + free (gbuf); + errno = saved_errno; + + return n_groups; +} + +#endif /* HAVE_GETGROUPS */ === modified file 'lib/gnulib.mk' --- lib/gnulib.mk 2012-10-04 07:15:42 +0000 +++ lib/gnulib.mk 2012-10-15 06:05:46 +0000 @@ -21,7 +21,7 @@ # the same distribution terms as the rest of that program. # # Generated by gnulib-tool. -# Reproduce by: gnulib-tool --import --dir=. --lib=libgnu --source-base=lib --m4-base=m4 --doc-base=doc --tests-base=tests --aux-dir=build-aux --avoid=errno --avoid=fcntl --avoid=fcntl-h --avoid=fstat --avoid=msvc-inval --avoid=msvc-nothrow --avoid=raise --avoid=select --avoid=sigprocmask --avoid=sys_types --avoid=threadlib --makefile-name=gnulib.mk --conditional-dependencies --no-libtool --macro-prefix=gl --no-vc-files alloca-opt c-ctype c-strcase careadlinkat crypto/md5 crypto/sha1 crypto/sha256 crypto/sha512 dtoastr dtotimespec dup2 environ execinfo filemode getloadavg getopt-gnu gettime gettimeofday ignore-value intprops largefile lstat manywarnings mktime pselect pthread_sigmask readlink socklen stat-time stdalign stdarg stdbool stdio strftime strtoimax strtoumax symlink sys_stat sys_time time timer-time timespec-add timespec-sub utimens warnings +# Reproduce by: gnulib-tool --import --dir=. --lib=libgnu --source-base=lib --m4-base=m4 --doc-base=doc --tests-base=tests --aux-dir=build-aux --avoid=at-internal --avoid=errno --avoid=fchdir --avoid=fcntl --avoid=fstat --avoid=malloc-posix --avoid=msvc-inval --avoid=msvc-nothrow --avoid=openat-die --avoid=openat-h --avoid=raise --avoid=save-cwd --avoid=select --avoid=sigprocmask --avoid=sys_types --avoid=threadlib --makefile-name=gnulib.mk --conditional-dependencies --no-libtool --macro-prefix=gl --no-vc-files alloca-opt c-ctype c-strcase careadlinkat crypto/md5 crypto/sha1 crypto/sha256 crypto/sha512 dtoastr dtotimespec dup2 environ execinfo faccessat filemode getloadavg getopt-gnu gettime gettimeofday ignore-value intprops largefile lstat manywarnings mktime pselect pthread_sigmask readlink socklen stat-time stdalign stdarg stdbool stdio strftime strtoimax strtoumax symlink sys_stat sys_time time timer-time timespec-add timespec-sub utimens warnings MOSTLYCLEANFILES += core *.stackdump @@ -150,6 +150,17 @@ ## end gnulib module dup2 +## begin gnulib module euidaccess + +if gl_GNULIB_ENABLED_euidaccess + +endif +EXTRA_DIST += euidaccess.c + +EXTRA_libgnu_a_SOURCES += euidaccess.c + +## end gnulib module euidaccess + ## begin gnulib module execinfo BUILT_SOURCES += $(EXECINFO_H) @@ -175,6 +186,50 @@ ## end gnulib module execinfo +## begin gnulib module faccessat + + +EXTRA_DIST += at-func.c faccessat.c + +EXTRA_libgnu_a_SOURCES += at-func.c faccessat.c + +## end gnulib module faccessat + +## begin gnulib module fcntl-h + +BUILT_SOURCES += fcntl.h + +# We need the following in order to create <fcntl.h> when the system +# doesn't have one that works with the given compiler. +fcntl.h: fcntl.in.h $(top_builddir)/config.status $(CXXDEFS_H) $(ARG_NONNULL_H) $(WARN_ON_USE_H) + $(AM_V_GEN)rm -f $@-t $@ && \ + { echo '/* DO NOT EDIT! GENERATED AUTOMATICALLY! */'; \ + sed -e 's|@''GUARD_PREFIX''@|GL|g' \ + -e 's|@''INCLUDE_NEXT''@|$(INCLUDE_NEXT)|g' \ + -e 's|@''PRAGMA_SYSTEM_HEADER''@|@PRAGMA_SYSTEM_HEADER@|g' \ + -e 's|@''PRAGMA_COLUMNS''@|@PRAGMA_COLUMNS@|g' \ + -e 's|@''NEXT_FCNTL_H''@|$(NEXT_FCNTL_H)|g' \ + -e 's/@''GNULIB_FCNTL''@/$(GNULIB_FCNTL)/g' \ + -e 's/@''GNULIB_NONBLOCKING''@/$(GNULIB_NONBLOCKING)/g' \ + -e 's/@''GNULIB_OPEN''@/$(GNULIB_OPEN)/g' \ + -e 's/@''GNULIB_OPENAT''@/$(GNULIB_OPENAT)/g' \ + -e 's|@''HAVE_FCNTL''@|$(HAVE_FCNTL)|g' \ + -e 's|@''HAVE_OPENAT''@|$(HAVE_OPENAT)|g' \ + -e 's|@''REPLACE_FCNTL''@|$(REPLACE_FCNTL)|g' \ + -e 's|@''REPLACE_OPEN''@|$(REPLACE_OPEN)|g' \ + -e 's|@''REPLACE_OPENAT''@|$(REPLACE_OPENAT)|g' \ + -e '/definitions of _GL_FUNCDECL_RPL/r $(CXXDEFS_H)' \ + -e '/definition of _GL_ARG_NONNULL/r $(ARG_NONNULL_H)' \ + -e '/definition of _GL_WARN_ON_USE/r $(WARN_ON_USE_H)' \ + < $(srcdir)/fcntl.in.h; \ + } > $@-t && \ + mv $@-t $@ +MOSTLYCLEANFILES += fcntl.h fcntl.h-t + +EXTRA_DIST += fcntl.in.h + +## end gnulib module fcntl-h + ## begin gnulib module filemode libgnu_a_SOURCES += filemode.c @@ -183,6 +238,17 @@ ## end gnulib module filemode +## begin gnulib module getgroups + +if gl_GNULIB_ENABLED_getgroups + +endif +EXTRA_DIST += getgroups.c + +EXTRA_libgnu_a_SOURCES += getgroups.c + +## end gnulib module getgroups + ## begin gnulib module getloadavg @@ -242,6 +308,17 @@ ## end gnulib module gettimeofday +## begin gnulib module group-member + +if gl_GNULIB_ENABLED_a9786850e999ae65a836a6041e8e5ed1 + +endif +EXTRA_DIST += group-member.c + +EXTRA_libgnu_a_SOURCES += group-member.c + +## end gnulib module group-member + ## begin gnulib module ignore-value @@ -354,6 +431,15 @@ ## end gnulib module readlink +## begin gnulib module root-uid + +if gl_GNULIB_ENABLED_6099e9737f757db36c47fa9d9f02e88c + +endif +EXTRA_DIST += root-uid.h + +## end gnulib module root-uid + ## begin gnulib module signal-h BUILT_SOURCES += signal.h @@ -1312,6 +1398,15 @@ ## end gnulib module verify +## begin gnulib module xalloc-oversized + +if gl_GNULIB_ENABLED_682e609604ccaac6be382e4ee3a4eaec + +endif +EXTRA_DIST += xalloc-oversized.h + +## end gnulib module xalloc-oversized + mostlyclean-local: mostlyclean-generic @for dir in '' $(MOSTLYCLEANDIRS); do \ === added file 'lib/group-member.c' --- lib/group-member.c 1970-01-01 00:00:00 +0000 +++ lib/group-member.c 2012-10-12 23:28:31 +0000 @@ -0,0 +1,119 @@ +/* group-member.c -- determine whether group id is in calling user's group list + + Copyright (C) 1994, 1997-1998, 2003, 2005-2006, 2009-2012 Free Software + Foundation, Inc. + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. */ + +#include <config.h> + +/* Specification. */ +#include <unistd.h> + +#include <stdio.h> +#include <sys/types.h> +#include <stdlib.h> + +#include "xalloc-oversized.h" + +/* Most processes have no more than this many groups, and for these + processes we can avoid using malloc. */ +enum { GROUPBUF_SIZE = 100 }; + +struct group_info + { + gid_t *group; + gid_t groupbuf[GROUPBUF_SIZE]; + }; + +static void +free_group_info (struct group_info const *g) +{ + if (g->group != g->groupbuf) + free (g->group); +} + +static int +get_group_info (struct group_info *gi) +{ + int n_groups = getgroups (GROUPBUF_SIZE, gi->groupbuf); + gi->group = gi->groupbuf; + + if (n_groups < 0) + { + int n_group_slots = getgroups (0, NULL); + if (0 <= n_group_slots + && ! xalloc_oversized (n_group_slots, sizeof *gi->group)) + { + gi->group = malloc (n_group_slots * sizeof *gi->group); + if (gi->group) + n_groups = getgroups (n_group_slots, gi->group); + } + } + + /* In case of error, the user loses. */ + return n_groups; +} + +/* Return non-zero if GID is one that we have in our groups list. + Note that the groups list is not guaranteed to contain the current + or effective group ID, so they should generally be checked + separately. */ + +int +group_member (gid_t gid) +{ + int i; + int found; + struct group_info gi; + int n_groups = get_group_info (&gi); + + /* Search through the list looking for GID. */ + found = 0; + for (i = 0; i < n_groups; i++) + { + if (gid == gi.group[i]) + { + found = 1; + break; + } + } + + free_group_info (&gi); + + return found; +} + +#ifdef TEST + +char *program_name; + +int +main (int argc, char **argv) +{ + int i; + + program_name = argv[0]; + + for (i = 1; i < argc; i++) + { + gid_t gid; + + gid = atoi (argv[i]); + printf ("%d: %s\n", gid, group_member (gid) ? "yes" : "no"); + } + exit (0); +} + +#endif /* TEST */ === added file 'lib/root-uid.h' --- lib/root-uid.h 1970-01-01 00:00:00 +0000 +++ lib/root-uid.h 2012-10-12 23:28:31 +0000 @@ -0,0 +1,30 @@ +/* The user ID that always has appropriate privileges in the POSIX sense. + + Copyright 2012 Free Software Foundation, Inc. + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. + + Written by Paul Eggert. */ + +#ifndef ROOT_UID_H_ +#define ROOT_UID_H_ + +/* The user ID that always has appropriate privileges in the POSIX sense. */ +#ifdef __TANDEM +# define ROOT_UID 65535 +#else +# define ROOT_UID 0 +#endif + +#endif === added file 'lib/xalloc-oversized.h' --- lib/xalloc-oversized.h 1970-01-01 00:00:00 +0000 +++ lib/xalloc-oversized.h 2012-10-12 23:28:31 +0000 @@ -0,0 +1,38 @@ +/* xalloc-oversized.h -- memory allocation size checking + + Copyright (C) 1990-2000, 2003-2004, 2006-2012 Free Software Foundation, Inc. + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. */ + +#ifndef XALLOC_OVERSIZED_H_ +# define XALLOC_OVERSIZED_H_ + +# include <stddef.h> + +/* Return 1 if an array of N objects, each of size S, cannot exist due + to size arithmetic overflow. S must be positive and N must be + nonnegative. This is a macro, not a function, so that it + works correctly even when SIZE_MAX < N. + + By gnulib convention, SIZE_MAX represents overflow in size + calculations, so the conservative dividend to use here is + SIZE_MAX - 1, since SIZE_MAX might represent an overflowed value. + However, malloc (SIZE_MAX) fails on all known hosts where + sizeof (ptrdiff_t) <= sizeof (size_t), so do not bother to test for + exactly-SIZE_MAX allocations on such hosts; this avoids a test and + branch when S is known to be 1. */ +# define xalloc_oversized(n, s) \ + ((size_t) (sizeof (ptrdiff_t) <= sizeof (size_t) ? -1 : -2) / (s) < (n)) + +#endif /* !XALLOC_OVERSIZED_H_ */ === added file 'm4/euidaccess.m4' --- m4/euidaccess.m4 1970-01-01 00:00:00 +0000 +++ m4/euidaccess.m4 2012-10-12 23:28:31 +0000 @@ -0,0 +1,52 @@ +# euidaccess.m4 serial 14 +dnl Copyright (C) 2002-2012 Free Software Foundation, Inc. +dnl This file is free software; the Free Software Foundation +dnl gives unlimited permission to copy and/or distribute it, +dnl with or without modifications, as long as this notice is preserved. + +AC_DEFUN([gl_FUNC_NONREENTRANT_EUIDACCESS], +[ + AC_REQUIRE([gl_FUNC_EUIDACCESS]) + AC_DEFINE([PREFER_NONREENTRANT_EUIDACCESS], [1], + [Define this if you prefer euidaccess to return the correct result + even if this would make it nonreentrant. Define this only if your + entire application is safe even if the uid or gid might temporarily + change. If your application uses signal handlers or threads it + is probably not safe.]) +]) + +AC_DEFUN([gl_FUNC_EUIDACCESS], +[ + AC_REQUIRE([gl_UNISTD_H_DEFAULTS]) + + dnl Persuade glibc <unistd.h> to declare euidaccess(). + AC_REQUIRE([AC_USE_SYSTEM_EXTENSIONS]) + + AC_CHECK_FUNCS([euidaccess]) + if test $ac_cv_func_euidaccess = no; then + HAVE_EUIDACCESS=0 + fi +]) + +# Prerequisites of lib/euidaccess.c. +AC_DEFUN([gl_PREREQ_EUIDACCESS], [ + dnl Prefer POSIX faccessat over non-standard euidaccess. + AC_CHECK_FUNCS_ONCE([faccessat]) + dnl Try various other non-standard fallbacks. + AC_CHECK_HEADERS_ONCE([libgen.h]) + AC_CHECK_DECLS_ONCE([setregid]) + AC_REQUIRE([AC_FUNC_GETGROUPS]) + + # Solaris 9 and 10 need -lgen to get the eaccess function. + # Save and restore LIBS so -lgen isn't added to it. Otherwise, *all* + # programs in the package would end up linked with that potentially-shared + # library, inducing unnecessary run-time overhead. + LIB_EACCESS= + AC_SUBST([LIB_EACCESS]) + gl_saved_libs=$LIBS + AC_SEARCH_LIBS([eaccess], [gen], + [test "$ac_cv_search_eaccess" = "none required" || + LIB_EACCESS=$ac_cv_search_eaccess]) + AC_CHECK_FUNCS([eaccess]) + LIBS=$gl_saved_libs +]) === added file 'm4/faccessat.m4' --- m4/faccessat.m4 1970-01-01 00:00:00 +0000 +++ m4/faccessat.m4 2012-10-15 06:05:46 +0000 @@ -0,0 +1,28 @@ +# serial 6 +# See if we need to provide faccessat replacement. + +dnl Copyright (C) 2009-2012 Free Software Foundation, Inc. +dnl This file is free software; the Free Software Foundation +dnl gives unlimited permission to copy and/or distribute it, +dnl with or without modifications, as long as this notice is preserved. + +# Written by Eric Blake. + +AC_DEFUN([gl_FUNC_FACCESSAT], +[ + AC_REQUIRE([gl_UNISTD_H_DEFAULTS]) + + dnl Persuade glibc <unistd.h> to declare faccessat(). + AC_REQUIRE([gl_USE_SYSTEM_EXTENSIONS]) + + AC_CHECK_FUNCS_ONCE([faccessat]) + if test $ac_cv_func_faccessat = no; then + HAVE_FACCESSAT=0 + fi +]) + +# Prerequisites of lib/faccessat.m4. +AC_DEFUN([gl_PREREQ_FACCESSAT], +[ + AC_CHECK_FUNCS([access]) +]) === added file 'm4/fcntl_h.m4' --- m4/fcntl_h.m4 1970-01-01 00:00:00 +0000 +++ m4/fcntl_h.m4 2012-10-15 06:05:46 +0000 @@ -0,0 +1,50 @@ +# serial 15 +# Configure fcntl.h. +dnl Copyright (C) 2006-2007, 2009-2012 Free Software Foundation, Inc. +dnl This file is free software; the Free Software Foundation +dnl gives unlimited permission to copy and/or distribute it, +dnl with or without modifications, as long as this notice is preserved. + +dnl Written by Paul Eggert. + +AC_DEFUN([gl_FCNTL_H], +[ + AC_REQUIRE([gl_FCNTL_H_DEFAULTS]) + AC_REQUIRE([gl_FCNTL_O_FLAGS]) + gl_NEXT_HEADERS([fcntl.h]) + + dnl Ensure the type pid_t gets defined. + AC_REQUIRE([AC_TYPE_PID_T]) + + dnl Ensure the type mode_t gets defined. + AC_REQUIRE([AC_TYPE_MODE_T]) + + dnl Check for declarations of anything we want to poison if the + dnl corresponding gnulib module is not in use, if it is not common + dnl enough to be declared everywhere. + gl_WARN_ON_USE_PREPARE([[#include <fcntl.h> + ]], [fcntl openat]) +]) + +AC_DEFUN([gl_FCNTL_MODULE_INDICATOR], +[ + dnl Use AC_REQUIRE here, so that the default settings are expanded once only. + AC_REQUIRE([gl_FCNTL_H_DEFAULTS]) + gl_MODULE_INDICATOR_SET_VARIABLE([$1]) + dnl Define it also as a C macro, for the benefit of the unit tests. + gl_MODULE_INDICATOR_FOR_TESTS([$1]) +]) + +AC_DEFUN([gl_FCNTL_H_DEFAULTS], +[ + GNULIB_FCNTL=0; AC_SUBST([GNULIB_FCNTL]) + GNULIB_NONBLOCKING=0; AC_SUBST([GNULIB_NONBLOCKING]) + GNULIB_OPEN=0; AC_SUBST([GNULIB_OPEN]) + GNULIB_OPENAT=0; AC_SUBST([GNULIB_OPENAT]) + dnl Assume proper GNU behavior unless another module says otherwise. + HAVE_FCNTL=1; AC_SUBST([HAVE_FCNTL]) + HAVE_OPENAT=1; AC_SUBST([HAVE_OPENAT]) + REPLACE_FCNTL=0; AC_SUBST([REPLACE_FCNTL]) + REPLACE_OPEN=0; AC_SUBST([REPLACE_OPEN]) + REPLACE_OPENAT=0; AC_SUBST([REPLACE_OPENAT]) +]) === added file 'm4/getgroups.m4' --- m4/getgroups.m4 1970-01-01 00:00:00 +0000 +++ m4/getgroups.m4 2012-10-12 23:28:31 +0000 @@ -0,0 +1,107 @@ +# serial 18 + +dnl From Jim Meyering. +dnl A wrapper around AC_FUNC_GETGROUPS. + +# Copyright (C) 1996-1997, 1999-2004, 2008-2012 Free Software Foundation, Inc. +# +# This file is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +m4_version_prereq([2.70], [] ,[ + +# This is taken from the following Autoconf patch: +# http://git.savannah.gnu.org/gitweb/?p=autoconf.git;a=commitdiff;h=7fbb553727ed7e0e689a17594b58559ecf3ea6e9 +AC_DEFUN([AC_FUNC_GETGROUPS], +[ + AC_REQUIRE([AC_TYPE_GETGROUPS])dnl + AC_REQUIRE([AC_TYPE_SIZE_T])dnl + AC_REQUIRE([AC_CANONICAL_HOST])dnl for cross-compiles + AC_CHECK_FUNC([getgroups]) + + # If we don't yet have getgroups, see if it's in -lbsd. + # This is reported to be necessary on an ITOS 3000WS running SEIUX 3.1. + ac_save_LIBS=$LIBS + if test $ac_cv_func_getgroups = no; then + AC_CHECK_LIB(bsd, getgroups, [GETGROUPS_LIB=-lbsd]) + fi + + # Run the program to test the functionality of the system-supplied + # getgroups function only if there is such a function. + if test $ac_cv_func_getgroups = yes; then + AC_CACHE_CHECK([for working getgroups], [ac_cv_func_getgroups_works], + [AC_RUN_IFELSE( + [AC_LANG_PROGRAM( + [AC_INCLUDES_DEFAULT], + [[/* On Ultrix 4.3, getgroups (0, 0) always fails. */ + return getgroups (0, 0) == -1;]]) + ], + [ac_cv_func_getgroups_works=yes], + [ac_cv_func_getgroups_works=no], + [case "$host_os" in # (( + # Guess yes on glibc systems. + *-gnu*) ac_cv_func_getgroups_works="guessing yes" ;; + # If we don't know, assume the worst. + *) ac_cv_func_getgroups_works="guessing no" ;; + esac + ]) + ]) + else + ac_cv_func_getgroups_works=no + fi + case "$ac_cv_func_getgroups_works" in + *yes) + AC_DEFINE([HAVE_GETGROUPS], [1], + [Define to 1 if your system has a working `getgroups' function.]) + ;; + esac + LIBS=$ac_save_LIBS +])# AC_FUNC_GETGROUPS + +]) + +AC_DEFUN([gl_FUNC_GETGROUPS], +[ + AC_REQUIRE([AC_TYPE_GETGROUPS]) + AC_REQUIRE([gl_UNISTD_H_DEFAULTS]) + AC_REQUIRE([AC_CANONICAL_HOST]) dnl for cross-compiles + + AC_FUNC_GETGROUPS + if test $ac_cv_func_getgroups != yes; then + HAVE_GETGROUPS=0 + else + if test "$ac_cv_type_getgroups" != gid_t \ + || { case "$ac_cv_func_getgroups_works" in + *yes) false;; + *) true;; + esac + }; then + REPLACE_GETGROUPS=1 + AC_DEFINE([GETGROUPS_ZERO_BUG], [1], [Define this to 1 if + getgroups(0,NULL) does not return the number of groups.]) + else + dnl Detect FreeBSD bug; POSIX requires getgroups(-1,ptr) to fail. + AC_CACHE_CHECK([whether getgroups handles negative values], + [gl_cv_func_getgroups_works], + [AC_RUN_IFELSE([AC_LANG_PROGRAM([AC_INCLUDES_DEFAULT], + [[int size = getgroups (0, 0); + gid_t *list = malloc (size * sizeof *list); + return getgroups (-1, list) != -1;]])], + [gl_cv_func_getgroups_works=yes], + [gl_cv_func_getgroups_works=no], + [case "$host_os" in + # Guess yes on glibc systems. + *-gnu*) gl_cv_func_getgroups_works="guessing yes" ;; + # If we don't know, assume the worst. + *) gl_cv_func_getgroups_works="guessing no" ;; + esac + ])]) + case "$gl_cv_func_getgroups_works" in + *yes) ;; + *) REPLACE_GETGROUPS=1 ;; + esac + fi + fi + test -n "$GETGROUPS_LIB" && LIBS="$GETGROUPS_LIB $LIBS" +]) === modified file 'm4/gnulib-comp.m4' --- m4/gnulib-comp.m4 2012-09-27 01:06:23 +0000 +++ m4/gnulib-comp.m4 2012-10-15 06:05:46 +0000 @@ -53,17 +53,22 @@ # Code from module dtotimespec: # Code from module dup2: # Code from module environ: + # Code from module euidaccess: # Code from module execinfo: # Code from module extensions: AC_REQUIRE([gl_USE_SYSTEM_EXTENSIONS]) # Code from module extern-inline: + # Code from module faccessat: + # Code from module fcntl-h: # Code from module filemode: + # Code from module getgroups: # Code from module getloadavg: # Code from module getopt-gnu: # Code from module getopt-posix: # Code from module gettext-h: # Code from module gettime: # Code from module gettimeofday: + # Code from module group-member: # Code from module ignore-value: # Code from module include_next: # Code from module intprops: @@ -79,6 +84,7 @@ # Code from module pselect: # Code from module pthread_sigmask: # Code from module readlink: + # Code from module root-uid: # Code from module signal-h: # Code from module snippet/_Noreturn: # Code from module snippet/arg-nonnull: @@ -120,6 +126,7 @@ # Code from module utimens: # Code from module verify: # Code from module warnings: + # Code from module xalloc-oversized: ]) # This macro should be invoked from ./configure.ac, in the section @@ -156,6 +163,14 @@ gl_UNISTD_MODULE_INDICATOR([environ]) gl_EXECINFO_H AC_REQUIRE([gl_EXTERN_INLINE]) + gl_FUNC_FACCESSAT + if test $HAVE_FACCESSAT = 0; then + AC_LIBOBJ([faccessat]) + gl_PREREQ_FACCESSAT + fi + gl_MODULE_INDICATOR([faccessat]) + gl_UNISTD_MODULE_INDICATOR([faccessat]) + gl_FCNTL_H gl_FILEMODE gl_GETLOADAVG if test $HAVE_GETLOADAVG = 0; then @@ -269,18 +284,53 @@ gl_UNISTD_H gl_UTIMENS gl_gnulib_enabled_dosname=false + gl_gnulib_enabled_euidaccess=false + gl_gnulib_enabled_getgroups=false gl_gnulib_enabled_be453cec5eecf5731a274f2de7f2db36=false + gl_gnulib_enabled_a9786850e999ae65a836a6041e8e5ed1=false gl_gnulib_enabled_pathmax=false + gl_gnulib_enabled_6099e9737f757db36c47fa9d9f02e88c=false gl_gnulib_enabled_stat=false gl_gnulib_enabled_strtoll=false gl_gnulib_enabled_strtoull=false gl_gnulib_enabled_verify=false + gl_gnulib_enabled_682e609604ccaac6be382e4ee3a4eaec=false func_gl_gnulib_m4code_dosname () { if ! $gl_gnulib_enabled_dosname; then gl_gnulib_enabled_dosname=true fi } + func_gl_gnulib_m4code_euidaccess () + { + if ! $gl_gnulib_enabled_euidaccess; then + gl_FUNC_EUIDACCESS + if test $HAVE_EUIDACCESS = 0; then + AC_LIBOBJ([euidaccess]) + gl_PREREQ_EUIDACCESS + fi + gl_UNISTD_MODULE_INDICATOR([euidaccess]) + gl_gnulib_enabled_euidaccess=true + if test $HAVE_EUIDACCESS = 0; then + func_gl_gnulib_m4code_a9786850e999ae65a836a6041e8e5ed1 + fi + func_gl_gnulib_m4code_6099e9737f757db36c47fa9d9f02e88c + if test $HAVE_EUIDACCESS = 0; then + func_gl_gnulib_m4code_stat + fi + fi + } + func_gl_gnulib_m4code_getgroups () + { + if ! $gl_gnulib_enabled_getgroups; then + gl_FUNC_GETGROUPS + if test $HAVE_GETGROUPS = 0 || test $REPLACE_GETGROUPS = 1; then + AC_LIBOBJ([getgroups]) + fi + gl_UNISTD_MODULE_INDICATOR([getgroups]) + gl_gnulib_enabled_getgroups=true + fi + } func_gl_gnulib_m4code_be453cec5eecf5731a274f2de7f2db36 () { if ! $gl_gnulib_enabled_be453cec5eecf5731a274f2de7f2db36; then @@ -289,6 +339,24 @@ gl_gnulib_enabled_be453cec5eecf5731a274f2de7f2db36=true fi } + func_gl_gnulib_m4code_a9786850e999ae65a836a6041e8e5ed1 () + { + if ! $gl_gnulib_enabled_a9786850e999ae65a836a6041e8e5ed1; then + gl_FUNC_GROUP_MEMBER + if test $HAVE_GROUP_MEMBER = 0; then + AC_LIBOBJ([group-member]) + gl_PREREQ_GROUP_MEMBER + fi + gl_UNISTD_MODULE_INDICATOR([group-member]) + gl_gnulib_enabled_a9786850e999ae65a836a6041e8e5ed1=true + if test $HAVE_GROUP_MEMBER = 0; then + func_gl_gnulib_m4code_getgroups + fi + if test $HAVE_GROUP_MEMBER = 0; then + func_gl_gnulib_m4code_682e609604ccaac6be382e4ee3a4eaec + fi + fi + } func_gl_gnulib_m4code_pathmax () { if ! $gl_gnulib_enabled_pathmax; then @@ -296,6 +364,12 @@ gl_gnulib_enabled_pathmax=true fi } + func_gl_gnulib_m4code_6099e9737f757db36c47fa9d9f02e88c () + { + if ! $gl_gnulib_enabled_6099e9737f757db36c47fa9d9f02e88c; then + gl_gnulib_enabled_6099e9737f757db36c47fa9d9f02e88c=true + fi + } func_gl_gnulib_m4code_stat () { if ! $gl_gnulib_enabled_stat; then @@ -347,6 +421,18 @@ gl_gnulib_enabled_verify=true fi } + func_gl_gnulib_m4code_682e609604ccaac6be382e4ee3a4eaec () + { + if ! $gl_gnulib_enabled_682e609604ccaac6be382e4ee3a4eaec; then + gl_gnulib_enabled_682e609604ccaac6be382e4ee3a4eaec=true + fi + } + if test $HAVE_FACCESSAT = 0; then + func_gl_gnulib_m4code_dosname + fi + if test $HAVE_FACCESSAT = 0; then + func_gl_gnulib_m4code_euidaccess + fi if test $REPLACE_GETOPT = 1; then func_gl_gnulib_m4code_be453cec5eecf5731a274f2de7f2db36 fi @@ -373,12 +459,17 @@ fi m4_pattern_allow([^gl_GNULIB_ENABLED_]) AM_CONDITIONAL([gl_GNULIB_ENABLED_dosname], [$gl_gnulib_enabled_dosname]) + AM_CONDITIONAL([gl_GNULIB_ENABLED_euidaccess], [$gl_gnulib_enabled_euidaccess]) + AM_CONDITIONAL([gl_GNULIB_ENABLED_getgroups], [$gl_gnulib_enabled_getgroups]) AM_CONDITIONAL([gl_GNULIB_ENABLED_be453cec5eecf5731a274f2de7f2db36], [$gl_gnulib_enabled_be453cec5eecf5731a274f2de7f2db36]) + AM_CONDITIONAL([gl_GNULIB_ENABLED_a9786850e999ae65a836a6041e8e5ed1], [$gl_gnulib_enabled_a9786850e999ae65a836a6041e8e5ed1]) AM_CONDITIONAL([gl_GNULIB_ENABLED_pathmax], [$gl_gnulib_enabled_pathmax]) + AM_CONDITIONAL([gl_GNULIB_ENABLED_6099e9737f757db36c47fa9d9f02e88c], [$gl_gnulib_enabled_6099e9737f757db36c47fa9d9f02e88c]) AM_CONDITIONAL([gl_GNULIB_ENABLED_stat], [$gl_gnulib_enabled_stat]) AM_CONDITIONAL([gl_GNULIB_ENABLED_strtoll], [$gl_gnulib_enabled_strtoll]) AM_CONDITIONAL([gl_GNULIB_ENABLED_strtoull], [$gl_gnulib_enabled_strtoull]) AM_CONDITIONAL([gl_GNULIB_ENABLED_verify], [$gl_gnulib_enabled_verify]) + AM_CONDITIONAL([gl_GNULIB_ENABLED_682e609604ccaac6be382e4ee3a4eaec], [$gl_gnulib_enabled_682e609604ccaac6be382e4ee3a4eaec]) # End of code from modules m4_ifval(gl_LIBSOURCES_LIST, [ m4_syscmd([test ! -d ]m4_defn([gl_LIBSOURCES_DIR])[ || @@ -527,6 +618,7 @@ lib/alloca.in.h lib/allocator.c lib/allocator.h + lib/at-func.c lib/c-ctype.c lib/c-ctype.h lib/c-strcase.h @@ -538,12 +630,16 @@ lib/dtoastr.c lib/dtotimespec.c lib/dup2.c + lib/euidaccess.c lib/execinfo.c lib/execinfo.in.h + lib/faccessat.c + lib/fcntl.in.h lib/filemode.c lib/filemode.h lib/ftoastr.c lib/ftoastr.h + lib/getgroups.c lib/getloadavg.c lib/getopt.c lib/getopt.in.h @@ -552,6 +648,7 @@ lib/gettext.h lib/gettime.c lib/gettimeofday.c + lib/group-member.c lib/ignore-value.h lib/intprops.h lib/inttypes.in.h @@ -564,6 +661,7 @@ lib/pselect.c lib/pthread_sigmask.c lib/readlink.c + lib/root-uid.h lib/sha1.c lib/sha1.h lib/sha256.c @@ -605,21 +703,28 @@ lib/utimens.c lib/utimens.h lib/verify.h + lib/xalloc-oversized.h m4/00gnulib.m4 m4/alloca.m4 m4/c-strtod.m4 m4/clock_time.m4 m4/dup2.m4 m4/environ.m4 + m4/euidaccess.m4 m4/execinfo.m4 m4/extensions.m4 m4/extern-inline.m4 + m4/faccessat.m4 + m4/fcntl-o.m4 + m4/fcntl_h.m4 m4/filemode.m4 + m4/getgroups.m4 m4/getloadavg.m4 m4/getopt.m4 m4/gettime.m4 m4/gettimeofday.m4 m4/gnulib-common.m4 + m4/group-member.m4 m4/include_next.m4 m4/inttypes.m4 m4/largefile.m4 === added file 'm4/group-member.m4' --- m4/group-member.m4 1970-01-01 00:00:00 +0000 +++ m4/group-member.m4 2012-10-12 23:28:31 +0000 @@ -0,0 +1,29 @@ +# serial 14 + +# Copyright (C) 1999-2001, 2003-2007, 2009-2012 Free Software Foundation, Inc. + +# This file is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +dnl Written by Jim Meyering + +AC_DEFUN([gl_FUNC_GROUP_MEMBER], +[ + AC_REQUIRE([gl_UNISTD_H_DEFAULTS]) + + dnl Persuade glibc <unistd.h> to declare group_member(). + AC_REQUIRE([AC_USE_SYSTEM_EXTENSIONS]) + + dnl Do this replacement check manually because I want the hyphen + dnl (not the underscore) in the filename. + AC_CHECK_FUNC([group_member], , [ + HAVE_GROUP_MEMBER=0 + ]) +]) + +# Prerequisites of lib/group-member.c. +AC_DEFUN([gl_PREREQ_GROUP_MEMBER], +[ + AC_REQUIRE([AC_FUNC_GETGROUPS]) +]) === modified file 'nt/ChangeLog' --- nt/ChangeLog 2012-10-08 14:14:22 +0000 +++ nt/ChangeLog 2012-10-15 06:05:46 +0000 @@ -1,3 +1,10 @@ +2012-10-15 Paul Eggert <eggert@cs.ucla.edu> + + Use faccessat, not access, when checking file permissions (Bug#12632). + * inc/ms-w32.h (AT_FDCWD, AT_EACCESS): New symbols. + (access): Remove. + (faccessat): New macro. + 2012-10-08 Juanma Barranquero <lekktu@gmail.com> * config.nt: Sync with autogen/config.in. === modified file 'nt/inc/ms-w32.h' --- nt/inc/ms-w32.h 2012-09-30 21:36:42 +0000 +++ nt/inc/ms-w32.h 2012-10-15 06:05:46 +0000 @@ -139,6 +139,10 @@ #define MAXPATHLEN _MAX_PATH #endif +/* Use values compatible with gnulib, as there's no reason to differ. */ +#define AT_FDCWD (-3041965) +#define AT_EACCESS 4 + #ifdef HAVE_NTGUI #define HAVE_WINDOW_SYSTEM 1 #define HAVE_MENUS 1 @@ -160,8 +164,6 @@ #endif /* Calls that are emulated or shadowed. */ -#undef access -#define access sys_access #undef chdir #define chdir sys_chdir #undef chmod @@ -176,6 +178,7 @@ #define dup sys_dup #undef dup2 #define dup2 sys_dup2 +#define faccessat sys_faccessat #define fopen sys_fopen #define link sys_link #define localtime sys_localtime === modified file 'src/ChangeLog' --- src/ChangeLog 2012-10-15 01:38:07 +0000 +++ src/ChangeLog 2012-10-15 06:07:05 +0000 @@ -1,3 +1,30 @@ +2012-10-15 Paul Eggert <eggert@cs.ucla.edu> + + Use faccessat, not access, when checking file permissions (Bug#12632). + * Makefile.in (LIB_EACCESS): New macro. + (LIBES): Use it. + * callproc.c (init_callproc): + * charset.c (init_charset): + * fileio.c (check_existing, check_executable): + * lread.c (openp, load_path_check): + * process.c (allocate_pty): + * xrdb.c (file_p): + Use faccessat, not access or euidaccess. Use symbolic names + instead of integers for the flags, as they're portable now. + * charset.c, xrdb.c: Include <fcntl.h>, for the new flags used. + * fileio.c (Ffile_readable_p): + Use faccessat, not stat + open + close. + (file_directory_p): New function, which uses 'stat' on most places + but 'access' (for efficiency) if WINDOWSNT. + * fileio.c (Ffile_directory_p, Fset_file_times): + * xrdb.c (file_p): Use file_directory_p. + * lisp.h (file_directory_p): New decl. + * lread.c (openp): When opening a file, use fstat rather than + stat, as that avoids a permissions race. When not opening a file, + use file_directory_p rather than stat. + * w32.c (sys_faccessat): Rename from sys_access and switch to + faccessat's API. + 2012-10-15 Daniel Colascione <dancol@dancol.org> * dbusbind.c: Fix cygw32 build break when compiling with dbus === modified file 'src/Makefile.in' --- src/Makefile.in 2012-10-08 12:53:18 +0000 +++ src/Makefile.in 2012-10-13 01:49:41 +0000 @@ -150,6 +150,7 @@ M17N_FLT_LIBS = @M17N_FLT_LIBS@ LIB_CLOCK_GETTIME=@LIB_CLOCK_GETTIME@ +LIB_EACCESS=@LIB_EACCESS@ LIB_TIMER_TIME=@LIB_TIMER_TIME@ DBUS_CFLAGS = @DBUS_CFLAGS@ @@ -392,7 +393,7 @@ LIBES = $(LIBS) $(W32_LIBS) $(LIBX_BASE) $(LIBIMAGE) \ $(LIBX_OTHER) $(LIBSOUND) \ $(RSVG_LIBS) $(IMAGEMAGICK_LIBS) $(LIB_CLOCK_GETTIME) \ - $(LIB_TIMER_TIME) $(DBUS_LIBS) \ + $(LIB_EACCESS) $(LIB_TIMER_TIME) $(DBUS_LIBS) \ $(LIB_EXECINFO) \ $(LIBXML2_LIBS) $(LIBGPM) $(LIBRESOLV) $(LIBS_SYSTEM) \ $(LIBS_TERMCAP) $(GETLOADAVG_LIBS) $(SETTINGS_LIBS) $(LIBSELINUX_LIBS) \ === modified file 'src/callproc.c' --- src/callproc.c 2012-09-23 22:25:22 +0000 +++ src/callproc.c 2012-10-15 06:05:46 +0000 @@ -1597,13 +1597,13 @@ #endif { tempdir = Fdirectory_file_name (Vexec_directory); - if (access (SSDATA (tempdir), 0) < 0) + if (faccessat (AT_FDCWD, SSDATA (tempdir), F_OK, AT_EACCESS) != 0) dir_warning ("Warning: arch-dependent data dir (%s) does not exist.\n", Vexec_directory); } tempdir = Fdirectory_file_name (Vdata_directory); - if (access (SSDATA (tempdir), 0) < 0) + if (faccessat (AT_FDCWD, SSDATA (tempdir), F_OK, AT_EACCESS) != 0) dir_warning ("Warning: arch-independent data dir (%s) does not exist.\n", Vdata_directory); === modified file 'src/charset.c' --- src/charset.c 2012-10-01 06:36:54 +0000 +++ src/charset.c 2012-10-15 06:05:46 +0000 @@ -28,6 +28,7 @@ #define CHARSET_INLINE EXTERN_INLINE +#include <fcntl.h> #include <stdio.h> #include <unistd.h> #include <limits.h> @@ -2293,7 +2294,7 @@ { Lisp_Object tempdir; tempdir = Fexpand_file_name (build_string ("charsets"), Vdata_directory); - if (access (SSDATA (tempdir), 0) < 0) + if (faccessat (AT_FDCWD, SSDATA (tempdir), F_OK, AT_EACCESS) != 0) { /* This used to be non-fatal (dir_warning), but it should not happen, and if it does sooner or later it will cause some === modified file 'src/conf_post.h' --- src/conf_post.h 2012-10-08 22:14:39 +0000 +++ src/conf_post.h 2012-10-15 06:05:46 +0000 @@ -169,6 +169,10 @@ #endif #endif +/* Tell gnulib to omit support for openat-related functions having a + first argument other than AT_FDCWD. */ +#define GNULIB_SUPPORT_ONLY_AT_FDCWD + #include <string.h> #include <stdlib.h> === modified file 'src/fileio.c' --- src/fileio.c 2012-10-13 08:55:26 +0000 +++ src/fileio.c 2012-10-15 06:05:46 +0000 @@ -2424,15 +2424,7 @@ bool check_existing (const char *filename) { -#ifdef DOS_NT - /* The full emulation of Posix 'stat' is too expensive on - DOS/Windows, when all we want to know is whether the file exists. - So we use 'access' instead, which is much more lightweight. */ - return (access (filename, F_OK) >= 0); -#else - struct stat st; - return (stat (filename, &st) >= 0); -#endif + return faccessat (AT_FDCWD, filename, F_OK, AT_EACCESS) == 0; } /* Return true if file FILENAME exists and can be executed. */ @@ -2440,21 +2432,7 @@ static bool check_executable (char *filename) { -#ifdef DOS_NT - struct stat st; - if (stat (filename, &st) < 0) - return 0; - return ((st.st_mode & S_IEXEC) != 0); -#else /* not DOS_NT */ -#ifdef HAVE_EUIDACCESS - return (euidaccess (filename, 1) >= 0); -#else - /* Access isn't quite right because it uses the real uid - and we really want to test with the effective uid. - But Unix doesn't give us a right way to do it. */ - return (access (filename, 1) >= 0); -#endif -#endif /* not DOS_NT */ + return faccessat (AT_FDCWD, filename, X_OK, AT_EACCESS) == 0; } /* Return true if file FILENAME exists and can be written. */ @@ -2463,15 +2441,16 @@ check_writable (const char *filename) { #ifdef MSDOS + /* FIXME: an faccessat implementation should be added to the + DOS/Windows ports and this #ifdef branch should be removed. */ struct stat st; if (stat (filename, &st) < 0) return 0; return (st.st_mode & S_IWRITE || S_ISDIR (st.st_mode)); #else /* not MSDOS */ -#ifdef HAVE_EUIDACCESS - bool res = (euidaccess (filename, 2) >= 0); + bool res = faccessat (AT_FDCWD, filename, W_OK, AT_EACCESS) == 0; #ifdef CYGWIN - /* euidaccess may have returned failure because Cygwin couldn't + /* faccessat may have returned failure because Cygwin couldn't determine the file's UID or GID; if so, we return success. */ if (!res) { @@ -2482,14 +2461,6 @@ } #endif /* CYGWIN */ return res; -#else /* not HAVE_EUIDACCESS */ - /* Access isn't quite right because it uses the real uid - and we really want to test with the effective uid. - But Unix doesn't give us a right way to do it. - Opening with O_WRONLY could work for an ordinary file, - but would lose for directories. */ - return (access (filename, 2) >= 0); -#endif /* not HAVE_EUIDACCESS */ #endif /* not MSDOS */ } @@ -2546,9 +2517,6 @@ { Lisp_Object absname; Lisp_Object handler; - int desc; - int flags; - struct stat statbuf; CHECK_STRING (filename); absname = Fexpand_file_name (filename, Qnil); @@ -2560,31 +2528,8 @@ return call2 (handler, Qfile_readable_p, absname); absname = ENCODE_FILE (absname); - -#if defined (DOS_NT) || defined (macintosh) - /* Under MS-DOS, Windows, and Macintosh, open does not work for - directories. */ - if (access (SDATA (absname), 0) == 0) - return Qt; - return Qnil; -#else /* not DOS_NT and not macintosh */ - flags = O_RDONLY; -#ifdef O_NONBLOCK - /* Opening a fifo without O_NONBLOCK can wait. - We don't want to wait. But we don't want to mess wth O_NONBLOCK - except in the case of a fifo, on a system which handles it. */ - desc = stat (SSDATA (absname), &statbuf); - if (desc < 0) - return Qnil; - if (S_ISFIFO (statbuf.st_mode)) - flags |= O_NONBLOCK; -#endif - desc = emacs_open (SSDATA (absname), flags, 0); - if (desc < 0) - return Qnil; - emacs_close (desc); - return Qt; -#endif /* not DOS_NT and not macintosh */ + return (faccessat (AT_FDCWD, SSDATA (absname), R_OK, AT_EACCESS) == 0 + ? Qt : Qnil); } /* Having this before file-symlink-p mysteriously caused it to be forgotten @@ -2621,7 +2566,7 @@ /* The read-only attribute of the parent directory doesn't affect whether a file or directory can be created within it. Some day we should check ACLs though, which do affect this. */ - return (access (SDATA (dir), D_OK) < 0) ? Qnil : Qt; + return file_directory_p (SDATA (dir)) ? Qt : Qnil; #else return (check_writable (!NILP (dir) ? SSDATA (dir) : "") ? Qt : Qnil); @@ -2702,8 +2647,7 @@ See `file-symlink-p' to distinguish symlinks. */) (Lisp_Object filename) { - register Lisp_Object absname; - struct stat st; + Lisp_Object absname; Lisp_Object handler; absname = expand_and_dir_to_file (filename, BVAR (current_buffer, directory)); @@ -2716,9 +2660,20 @@ absname = ENCODE_FILE (absname); - if (stat (SSDATA (absname), &st) < 0) - return Qnil; - return S_ISDIR (st.st_mode) ? Qt : Qnil; + return file_directory_p (SSDATA (absname)) ? Qt : Qnil; +} + +/* Return true if FILE is a directory or a symlink to a directory. */ +bool +file_directory_p (char const *file) +{ +#ifdef WINDOWSNT + /* This is cheaper than 'stat'. */ + return faccessat (AT_FDCWD, file, D_OK, AT_EACCESS) == 0; +#else + struct stat st; + return stat (file, &st) == 0 && S_ISDIR (st.st_mode); +#endif } DEFUN ("file-accessible-directory-p", Ffile_accessible_directory_p, @@ -3043,10 +2998,8 @@ if (set_file_times (-1, SSDATA (encoded_absname), t, t)) { #ifdef MSDOS - struct stat st; - /* Setting times on a directory always fails. */ - if (stat (SSDATA (encoded_absname), &st) == 0 && S_ISDIR (st.st_mode)) + if (file_directory_p (SSDATA (encoded_absname))) return Qnil; #endif report_file_error ("Setting file times", Fcons (absname, Qnil)); === modified file 'src/lisp.h' --- src/lisp.h 2012-10-12 15:19:54 +0000 +++ src/lisp.h 2012-10-14 06:00:40 +0000 @@ -3179,6 +3179,7 @@ extern Lisp_Object restore_point_unwind (Lisp_Object); extern _Noreturn void report_file_error (const char *, Lisp_Object); extern void internal_delete_file (Lisp_Object); +extern bool file_directory_p (const char *); extern void syms_of_fileio (void); extern Lisp_Object make_temp_name (Lisp_Object, bool); extern Lisp_Object Qdelete_file; === modified file 'src/lread.c' --- src/lread.c 2012-10-12 15:19:54 +0000 +++ src/lread.c 2012-10-15 06:05:46 +0000 @@ -1404,7 +1404,7 @@ If SUFFIXES is non-nil, it should be a list of suffixes to append to file name when searching. If non-nil, PREDICATE is used instead of `file-readable-p'. -PREDICATE can also be an integer to pass to the access(2) function, +PREDICATE can also be an integer to pass to the faccessat(2) function, in which case file-name-handlers are ignored. This function will normally skip directories, so if you want it to find directories, make sure the PREDICATE function returns `dir-ok' for them. */) @@ -1442,7 +1442,6 @@ int openp (Lisp_Object path, Lisp_Object str, Lisp_Object suffixes, Lisp_Object *storeptr, Lisp_Object predicate) { - int fd; ptrdiff_t fn_size = 100; char buf[100]; char *fn = buf; @@ -1497,7 +1496,6 @@ { ptrdiff_t fnlen, lsuffix = SBYTES (XCAR (tail)); Lisp_Object handler; - bool exists; /* Concatenate path element/specified name with the suffix. If the directory starts with /:, remove that. */ @@ -1521,6 +1519,7 @@ handler = Ffind_file_name_handler (string, Qfile_exists_p); if ((!NILP (handler) || !NILP (predicate)) && !NATNUMP (predicate)) { + bool exists; if (NILP (predicate)) exists = !NILP (Ffile_readable_p (string)); else @@ -1542,37 +1541,40 @@ } else { -#ifndef WINDOWSNT - struct stat st; -#endif + int fd; const char *pfn; encoded_fn = ENCODE_FILE (string); pfn = SSDATA (encoded_fn); -#ifdef WINDOWSNT - exists = access (pfn, F_OK) == 0 && access (pfn, D_OK) < 0; -#else - exists = (stat (pfn, &st) == 0 && ! S_ISDIR (st.st_mode)); -#endif - if (exists) + + /* Check that we can access or open it. */ + if (NATNUMP (predicate)) + fd = (((XFASTINT (predicate) & ~INT_MAX) == 0 + && (faccessat (AT_FDCWD, pfn, XFASTINT (predicate), + AT_EACCESS) + == 0) + && ! file_directory_p (pfn)) + ? 1 : -1); + else { - /* Check that we can access or open it. */ - if (NATNUMP (predicate)) - fd = (((XFASTINT (predicate) & ~INT_MAX) == 0 - && access (pfn, XFASTINT (predicate)) == 0) - ? 1 : -1); - else - fd = emacs_open (pfn, O_RDONLY, 0); - - if (fd >= 0) + struct stat st; + fd = emacs_open (pfn, O_RDONLY, 0); + if (0 <= fd + && (fstat (fd, &st) != 0 || S_ISDIR (st.st_mode))) { - /* We succeeded; return this descriptor and filename. */ - if (storeptr) - *storeptr = string; - UNGCPRO; - return fd; + emacs_close (fd); + fd = -1; } } + + if (fd >= 0) + { + /* We succeeded; return this descriptor and filename. */ + if (storeptr) + *storeptr = string; + UNGCPRO; + return fd; + } } } if (absolute) @@ -4088,7 +4090,7 @@ if (STRINGP (dirfile)) { dirfile = Fdirectory_file_name (dirfile); - if (access (SSDATA (dirfile), 0) < 0) + if (faccessat (AT_FDCWD, SSDATA (dirfile), F_OK, AT_EACCESS) != 0) dir_warning ("Warning: Lisp directory `%s' does not exist.\n", XCAR (path_tail)); } === modified file 'src/process.c' --- src/process.c 2012-10-13 00:52:01 +0000 +++ src/process.c 2012-10-15 06:05:46 +0000 @@ -663,7 +663,7 @@ #else sprintf (pty_name, "/dev/tty%c%x", c, i); #endif /* no PTY_TTY_NAME_SPRINTF */ - if (access (pty_name, 6) != 0) + if (faccessat (AT_FDCWD, pty_name, R_OK | W_OK, AT_EACCESS) != 0) { emacs_close (fd); # ifndef __sgi === modified file 'src/w32.c' --- src/w32.c 2012-10-12 15:30:06 +0000 +++ src/w32.c 2012-10-15 06:05:46 +0000 @@ -2707,10 +2707,16 @@ long file names. */ int -sys_access (const char * path, int mode) +sys_faccessat (int dirfd, const char * path, int mode, int flags) { DWORD attributes; + if (dirfd != AT_FDCWD) + { + errno = EINVAL; + return -1; + } + /* MSVCRT implementation of 'access' doesn't recognize D_OK, and its newer versions blow up when passed D_OK. */ path = map_w32_filename (path, NULL); === modified file 'src/xrdb.c' --- src/xrdb.c 2012-09-15 07:06:56 +0000 +++ src/xrdb.c 2012-10-15 06:05:46 +0000 @@ -21,6 +21,7 @@ #include <config.h> +#include <fcntl.h> #include <unistd.h> #include <errno.h> #include <epaths.h> @@ -266,11 +267,8 @@ static int file_p (const char *filename) { - struct stat status; - - return (access (filename, 4) == 0 /* exists and is readable */ - && stat (filename, &status) == 0 /* get the status */ - && (S_ISDIR (status.st_mode)) == 0); /* not a directory */ + return (faccessat (AT_FDCWD, filename, R_OK, AT_EACCESS) == 0 + && ! file_directory_p (filename)); } ^ permalink raw reply [flat|nested] 47+ messages in thread
* bug#12632: file permissions checking mishandled when setuid 2012-10-15 6:17 ` Paul Eggert @ 2012-10-15 17:31 ` Eli Zaretskii 2012-10-15 21:38 ` Paul Eggert 0 siblings, 1 reply; 47+ messages in thread From: Eli Zaretskii @ 2012-10-15 17:31 UTC (permalink / raw) To: Paul Eggert; +Cc: 12632 > Date: Sun, 14 Oct 2012 23:17:16 -0700 > From: Paul Eggert <eggert@cs.ucla.edu> > CC: 12632@debbugs.gnu.org > > On 10/14/2012 01:53 PM, Eli Zaretskii wrote: > > That sounds like a very weak reason to switch to a non-portable API > > Since the main objection here seems to be using the non-portable > function euidaccess, I changed the patch to use faccessat instead. Well, actually I thought we should stay with 'stat'. > faccessat, unlike euidaccess, is standardized by POSIX; it's a tad > more-complicated to use but it is standard and it's no doubt > a better solution in the long run anyway. The patch > uses the Gnulib substitute for faccessat for obsolescent POSIXish > hosts that lack faccessat. But those which have 'faccessat' probably also don't have the problems in 'stat' with huge files etc. So 'stat' is still better, IMO, because it is very efficient (since it's so ubiquitous in many programs). > For Windows the patch simply reworks the existing substitute for > 'access' so that it implements faccessat instead. Thanks, but you need to change all the calls to sys_access inside w32.c, or else Emacs won't link on Windows. ^ permalink raw reply [flat|nested] 47+ messages in thread
* bug#12632: file permissions checking mishandled when setuid 2012-10-15 17:31 ` Eli Zaretskii @ 2012-10-15 21:38 ` Paul Eggert 2012-10-16 3:46 ` Eli Zaretskii 0 siblings, 1 reply; 47+ messages in thread From: Paul Eggert @ 2012-10-15 21:38 UTC (permalink / raw) To: Eli Zaretskii; +Cc: 12632 On 10/15/2012 10:31 AM, Eli Zaretskii wrote: > Well, actually I thought we should stay with 'stat'. We cannot stay with 'stat' everywhere, since 'stat' does not tell us whether a file is readable or writeable or executable. We must use faccessat (or something like it, e.g., euidaccess) when we're implementing functions like check_writable, check_executable, or basically any function that uses R_OK, W_OK, or X_OK. It's true that we could use 'stat' instead of faccessat(..., F_OK, ...), but the question then arises, why bother to make a special case for F_OK? > So 'stat' is still better, IMO, because it is very efficient Why should 'stat' be more efficient than faccessat? 'stat' has more work to do if successful, as it needs to gather and copy a 'struct stat' from kernel space to user space. faccessat doesn't need to do that. I did try timing the two, and found that on some hosts 'stat' is faster, and on others 'faccessat' is. Presumably 'stat' is faster on platforms where, as you say, people have worked harder to tune it. But the differences are not universal enough, or large enough, to say that 'stat' is very efficient and faccessat is not. > you need to change all the calls to sys_access inside > w32.c, or else Emacs won't link on Windows. Thanks, the following further patch should do that. === modified file 'src/ChangeLog' --- src/ChangeLog 2012-10-15 06:07:05 +0000 +++ src/ChangeLog 2012-10-15 21:35:25 +0000 @@ -23,7 +23,7 @@ stat, as that avoids a permissions race. When not opening a file, use file_directory_p rather than stat. * w32.c (sys_faccessat): Rename from sys_access and switch to - faccessat's API. + faccessat's API. All uses changed. 2012-10-15 Daniel Colascione <dancol@dancol.org> === modified file 'src/w32.c' --- src/w32.c 2012-10-15 06:05:46 +0000 +++ src/w32.c 2012-10-15 21:35:25 +0000 @@ -1590,7 +1590,7 @@ see if it succeeds. But I think that's too much to ask. */ /* MSVCRT's _access crashes with D_OK. */ - if (tmp && sys_access (tmp, D_OK) == 0) + if (tmp && sys_faccessat (AT_FDCWD, tmp, D_OK, AT_EACCESS) == 0) { char * var = alloca (strlen (tmp) + 8); sprintf (var, "TMPDIR=%s", tmp); @@ -2959,7 +2959,7 @@ { int save_errno = errno; p[0] = first_char[i]; - if (sys_access (template, 0) < 0) + if (sys_faccessat (AT_FDCWD, template, F_OK, AT_EACCESS) < 0) { errno = save_errno; return template; @@ -4010,7 +4010,7 @@ { /* Non-absolute FILENAME is understood as being relative to LINKNAME's directory. We need to prepend that directory to - FILENAME to get correct results from sys_access below, since + FILENAME to get correct results from sys_faccessat below, since otherwise it will interpret FILENAME relative to the directory where the Emacs process runs. Note that make-symbolic-link always makes sure LINKNAME is a fully @@ -4024,10 +4024,10 @@ strncpy (tem, linkfn, p - linkfn); tem[p - linkfn] = '\0'; strcat (tem, filename); - dir_access = sys_access (tem, D_OK); + dir_access = sys_faccessat (AT_FDCWD, tem, D_OK, AT_EACCESS); } else - dir_access = sys_access (filename, D_OK); + dir_access = sys_faccessat (AT_FDCWD, filename, D_OK, AT_EACCESS); /* Since Windows distinguishes between symlinks to directories and to files, we provide a kludgy feature: if FILENAME doesn't ^ permalink raw reply [flat|nested] 47+ messages in thread
* bug#12632: file permissions checking mishandled when setuid 2012-10-15 21:38 ` Paul Eggert @ 2012-10-16 3:46 ` Eli Zaretskii 2012-10-16 6:00 ` Paul Eggert 0 siblings, 1 reply; 47+ messages in thread From: Eli Zaretskii @ 2012-10-16 3:46 UTC (permalink / raw) To: Paul Eggert; +Cc: 12632 > Date: Mon, 15 Oct 2012 14:38:05 -0700 > From: Paul Eggert <eggert@cs.ucla.edu> > CC: 12632@debbugs.gnu.org > > On 10/15/2012 10:31 AM, Eli Zaretskii wrote: > > Well, actually I thought we should stay with 'stat'. > > We cannot stay with 'stat' everywhere, since 'stat' does not tell us > whether a file is readable or writeable or executable. We must use > faccessat (or something like it, e.g., euidaccess) when we're > implementing functions like check_writable, check_executable, or > basically any function that uses R_OK, W_OK, or X_OK. I was talking about check_existing. > It's true that we could use 'stat' instead of faccessat(..., F_OK, > ...), but the question then arises, why bother to make a special > case for F_OK? Because it's more universally available, and I believe also more efficient. > > So 'stat' is still better, IMO, because it is very efficient > > Why should 'stat' be more efficient than faccessat? Because it's used a lot. ^ permalink raw reply [flat|nested] 47+ messages in thread
* bug#12632: file permissions checking mishandled when setuid 2012-10-16 3:46 ` Eli Zaretskii @ 2012-10-16 6:00 ` Paul Eggert 2012-10-16 16:36 ` Eli Zaretskii 0 siblings, 1 reply; 47+ messages in thread From: Paul Eggert @ 2012-10-16 6:00 UTC (permalink / raw) To: Eli Zaretskii; +Cc: 12632 On 10/15/2012 08:46 PM, Eli Zaretskii wrote: >> why bother to make a special case for F_OK? > Because it's more universally available faccessat is just as available, on the platforms that the (patched) Emacs will run on: it's available either natively or via supplied emulation. > I believe also more efficient. I thought the point of Bug#12587 was that on Windows, 'stat' can be way slower than faccessat, so much so that Emacs appears unresponsive. 'stat' is also slower than faccessat on Solaris, though the performance difference is not as great as it appears to be on Windows. 'stat' is faster than faccessat on GNU/Linux, true, but the performance difference isn't great enough to make a special case just for that platform. ^ permalink raw reply [flat|nested] 47+ messages in thread
* bug#12632: file permissions checking mishandled when setuid 2012-10-16 6:00 ` Paul Eggert @ 2012-10-16 16:36 ` Eli Zaretskii 2012-10-19 17:01 ` Paul Eggert 0 siblings, 1 reply; 47+ messages in thread From: Eli Zaretskii @ 2012-10-16 16:36 UTC (permalink / raw) To: Paul Eggert; +Cc: 12632 > Date: Mon, 15 Oct 2012 23:00:34 -0700 > From: Paul Eggert <eggert@cs.ucla.edu> > CC: 12632@debbugs.gnu.org > > > I believe also more efficient. > > I thought the point of Bug#12587 was that on Windows, > 'stat' can be way slower than faccessat, so much > so that Emacs appears unresponsive. Granted, I was talking only about Posix platforms. ^ permalink raw reply [flat|nested] 47+ messages in thread
* bug#12632: file permissions checking mishandled when setuid 2012-10-16 16:36 ` Eli Zaretskii @ 2012-10-19 17:01 ` Paul Eggert 2012-10-19 18:41 ` Eli Zaretskii 0 siblings, 1 reply; 47+ messages in thread From: Paul Eggert @ 2012-10-19 17:01 UTC (permalink / raw) To: Eli Zaretskii; +Cc: 12632-done On 10/16/2012 09:36 AM, Eli Zaretskii wrote: >> > I thought the point of Bug#12587 was that on Windows, >> > 'stat' can be way slower than faccessat, so much >> > so that Emacs appears unresponsive. > Granted, I was talking only about Posix platforms. I'd rather avoid the situation where we have code like this: #if defined WINDOWSNT || defined __sun use faccessat #elif defined __linux__ use stat #else /* not sure which is faster */ #endif unless there's a reasonably significant performance advantage in doing so. The performance advantage of stat on GNU/Linux is relatively minor, whereas the performance advantage of faccessat on Windows is major. Since it's simpler to use faccessat everywhere, I installed a patch to do that as trunk bzr 110591 and am marking this bug as done. In the unlikely event that we run into significant performance issues because of this we can easily switch to the more-complex approach. ^ permalink raw reply [flat|nested] 47+ messages in thread
* bug#12632: file permissions checking mishandled when setuid 2012-10-19 17:01 ` Paul Eggert @ 2012-10-19 18:41 ` Eli Zaretskii 2012-10-19 18:54 ` Paul Eggert 0 siblings, 1 reply; 47+ messages in thread From: Eli Zaretskii @ 2012-10-19 18:41 UTC (permalink / raw) To: Paul Eggert; +Cc: 12632 > Date: Fri, 19 Oct 2012 10:01:23 -0700 > From: Paul Eggert <eggert@cs.ucla.edu> > CC: 12632-done@debbugs.gnu.org > > Since it's simpler to use faccessat everywhere, I installed a patch > to do that as trunk bzr 110591 and am marking this bug as done. Why are we doing such changes during a feature freeze? ^ permalink raw reply [flat|nested] 47+ messages in thread
* bug#12632: file permissions checking mishandled when setuid 2012-10-19 18:41 ` Eli Zaretskii @ 2012-10-19 18:54 ` Paul Eggert 2012-10-19 19:05 ` Glenn Morris 2012-10-19 19:10 ` Eli Zaretskii 0 siblings, 2 replies; 47+ messages in thread From: Paul Eggert @ 2012-10-19 18:54 UTC (permalink / raw) To: Eli Zaretskii; +Cc: 12632 On 10/19/2012 11:41 AM, Eli Zaretskii wrote: > Why are we doing such changes during a feature freeze? To fix a bug. It's similar to trunk bzr 110520, another bug fix in this area, installed during the feature freeze. ^ permalink raw reply [flat|nested] 47+ messages in thread
* bug#12632: file permissions checking mishandled when setuid 2012-10-19 18:54 ` Paul Eggert @ 2012-10-19 19:05 ` Glenn Morris 2012-10-19 19:36 ` Paul Eggert 2012-10-19 19:10 ` Eli Zaretskii 1 sibling, 1 reply; 47+ messages in thread From: Glenn Morris @ 2012-10-19 19:05 UTC (permalink / raw) To: Paul Eggert; +Cc: 12632 Paul Eggert wrote: > On 10/19/2012 11:41 AM, Eli Zaretskii wrote: >> Why are we doing such changes during a feature freeze? > > To fix a bug. If a bug is long-standing and/or minor, and if the fix for it involves non-trivial modifications, then it can be better to leave it unfixed (at this stage in the release process), in case a new, more serious or subtle problem is inadvertently introduced. Your initial report said "setuid Emacs is mishandling file permissions on POSIXish platforms that lack 'euidaccess'" and "setuid Emacs is mishandling these file permissions even on GNUish platforms.". I doubt anyone is running setuid Emacs anywhere, so this seems like a theoretical concern. ^ permalink raw reply [flat|nested] 47+ messages in thread
* bug#12632: file permissions checking mishandled when setuid 2012-10-19 19:05 ` Glenn Morris @ 2012-10-19 19:36 ` Paul Eggert 2012-10-20 2:25 ` Richard Stallman 2012-10-21 1:44 ` Glenn Morris 0 siblings, 2 replies; 47+ messages in thread From: Paul Eggert @ 2012-10-19 19:36 UTC (permalink / raw) To: Glenn Morris; +Cc: 12632 On 10/19/2012 12:05 PM, Glenn Morris wrote: > I doubt anyone is running setuid Emacs anywhere People do it all the time, often unwittingly, typically by having setuid or settgid scripts that end up invoking an editor. I've run into the problem myself. But I agree that this bug is not a new one. The first bug report I could find for it was from Chris Torek, dated 1983! I suppose that if Emacs users have lived with this security hole for three decades, they can live with it for a while longer. So I reverted the change from the trunk. Here's a copy of Torek's report: http://www.megalextoria.com/usenet-archive/news005f1/b12/net.emacs/00000104.html ^ permalink raw reply [flat|nested] 47+ messages in thread
* bug#12632: file permissions checking mishandled when setuid 2012-10-19 19:36 ` Paul Eggert @ 2012-10-20 2:25 ` Richard Stallman 2012-10-20 4:36 ` Paul Eggert 2012-10-21 1:44 ` Glenn Morris 1 sibling, 1 reply; 47+ messages in thread From: Richard Stallman @ 2012-10-20 2:25 UTC (permalink / raw) To: Paul Eggert; +Cc: 12632 But I agree that this bug is not a new one. The first bug report I could find for it was from Chris Torek, dated 1983! Since I started writing GNU Emacs in 1984, that must have been rather prescient on his part. Or maybe he was using some other Emacs version. -- Dr Richard Stallman President, Free Software Foundation 51 Franklin St Boston MA 02110 USA www.fsf.org www.gnu.org Skype: No way! That's nonfree (freedom-denying) software. Use Ekiga or an ordinary phone call ^ permalink raw reply [flat|nested] 47+ messages in thread
* bug#12632: file permissions checking mishandled when setuid 2012-10-20 2:25 ` Richard Stallman @ 2012-10-20 4:36 ` Paul Eggert 0 siblings, 0 replies; 47+ messages in thread From: Paul Eggert @ 2012-10-20 4:36 UTC (permalink / raw) To: rms; +Cc: 12632 On 10/19/2012 07:25 PM, Richard Stallman wrote: > that must have been rather prescient on his part. Ha! I should have known there was something odd about an Emacs bug report dated 1983. For what it's worth, I have verified that the bug exists in the oldest version of GNU Emacs that I found at gnu.org, namely GNU Emacs 18.59 (dated October 1992). I suspect that the bug goes back to the first version of GNU Emacs, though. At least, I hope so: it's not often that one gets to fix a bug that old. > maybe he was using some other Emacs version. Torek's Usenet posting (Article-I.D.: sri-arpa.858, Posted: Fri Apr 8 14:18:56 1983) doesn't say which Emacs he was writing about. Most likely it was Gosling's Emacs; this was back when that was freely redistributable. It's not surprising that Gosling Emacs (assuming that's what it was) had the same bug then that GNU Emacs does now. It's a common bug associated with the use of the 'access' system call. ^ permalink raw reply [flat|nested] 47+ messages in thread
* bug#12632: file permissions checking mishandled when setuid 2012-10-19 19:36 ` Paul Eggert 2012-10-20 2:25 ` Richard Stallman @ 2012-10-21 1:44 ` Glenn Morris 2012-10-21 2:52 ` Paul Eggert 1 sibling, 1 reply; 47+ messages in thread From: Glenn Morris @ 2012-10-21 1:44 UTC (permalink / raw) To: Paul Eggert; +Cc: 12632 Paul Eggert wrote: > People do it all the time, often unwittingly, typically by > having setuid or settgid scripts that end up invoking an > editor. I've run into the problem myself. I thought setuid shell scripts were not supported on most UNIXs? ^ permalink raw reply [flat|nested] 47+ messages in thread
* bug#12632: file permissions checking mishandled when setuid 2012-10-21 1:44 ` Glenn Morris @ 2012-10-21 2:52 ` Paul Eggert 2012-10-21 4:24 ` Glenn Morris 0 siblings, 1 reply; 47+ messages in thread From: Paul Eggert @ 2012-10-21 2:52 UTC (permalink / raw) To: Glenn Morris; +Cc: 12632 On 10/20/2012 06:44 PM, Glenn Morris wrote: > I thought setuid shell scripts were not supported on most UNIXs? Yes, nowadays it's typically disabled, but there are obvious workarounds and people use them. They'll create a tiny executable that is setuid, which turns around and invokes the script. It's not something one would recommend for highly secure environments, but that doesn't mean it doesn't happen. ^ permalink raw reply [flat|nested] 47+ messages in thread
* bug#12632: file permissions checking mishandled when setuid 2012-10-21 2:52 ` Paul Eggert @ 2012-10-21 4:24 ` Glenn Morris 2012-10-22 6:03 ` Paul Eggert 0 siblings, 1 reply; 47+ messages in thread From: Glenn Morris @ 2012-10-21 4:24 UTC (permalink / raw) To: Paul Eggert; +Cc: 12632 Paul Eggert wrote: > On 10/20/2012 06:44 PM, Glenn Morris wrote: >> I thought setuid shell scripts were not supported on most UNIXs? > > Yes, nowadays it's typically disabled, but there are obvious > workarounds and people use them. They'll create a tiny executable that > is setuid, which turns around and invokes the script. I really can't see how this is something that "People do [...] all the time, often unwittingly"; but obviously at this point I'm just arguing for the sake of it... ^ permalink raw reply [flat|nested] 47+ messages in thread
* bug#12632: file permissions checking mishandled when setuid 2012-10-21 4:24 ` Glenn Morris @ 2012-10-22 6:03 ` Paul Eggert 2012-10-22 17:19 ` Eli Zaretskii 0 siblings, 1 reply; 47+ messages in thread From: Paul Eggert @ 2012-10-22 6:03 UTC (permalink / raw) To: Glenn Morris; +Cc: 12632 [-- Attachment #1: Type: text/plain, Size: 961 bytes --] On 10/20/2012 09:24 PM, Glenn Morris wrote: > I really can't see how this is something that "People do [...] all the > time, often unwittingly" Yes, you're right, I was exaggerating -- it used to be more common, but it's rarer nowadays. Anyway, now that this patch is waiting until after the feature freeze, it can accommodate some cleanup changes. I've attached the revised version. It speeds up file-accessible-directory-p by doing it with one system call rather than two, avoids the unnecessary NILP check in file-writable-p that we discussed earlier, fixes a bug where file-writable-p thinks that one can create a file in a directory even when one cannot, does a better job of checking whether directories are searchable rather than merely whether they exist, and closes a couple more races related to permissions checking. None of this is urgent but I figured I'd write it up while I was thinking about it. This patch is relative to trunk bzr 110616. [-- Attachment #2: euidaccess.txt --] [-- Type: text/plain, Size: 95453 bytes --] === modified file '.bzrignore' --- .bzrignore 2012-10-19 19:25:18 +0000 +++ .bzrignore 2012-10-20 01:13:35 +0000 @@ -88,6 +88,7 @@ lib/arg-nonnull.h lib/c++defs.h lib/execinfo.h +lib/fcntl.h lib/getopt.h lib/inttypes.h lib/stdalign.h === modified file 'ChangeLog' --- ChangeLog 2012-10-21 01:35:46 +0000 +++ ChangeLog 2012-10-22 02:43:16 +0000 @@ -1,3 +1,16 @@ +2012-10-22 Paul Eggert <eggert@cs.ucla.edu> + + Use faccessat, not access, when checking file permissions (Bug#12632). + * .bzrignore: Add lib/fcntl.h. + * configure.ac (euidaccess): Remove check; gnulib does this for us now. + (gl_FCNTL_O_FLAGS): Define a dummy version. + * lib/at-func.c, lib/euidaccess.c, lib/faccessat.c, lib/fcntl.in.h: + * lib/getgroups.c, lib/group-member.c, lib/root-uid.h: + * lib/xalloc-oversized.h, m4/euidaccess.m4, m4/faccessat.m4: + * m4/fcntl_h.m4, m4/getgroups.m4, m4/group-member.m4: + New files, from gnulib. + * lib/gnulib.mk, m4/gnulib-comp.m4: Regenerate. + 2012-10-21 Glenn Morris <rgm@gnu.org> * Makefile.in (install-etc): Don't install emacs22 icons. === modified file 'admin/ChangeLog' --- admin/ChangeLog 2012-10-19 19:25:18 +0000 +++ admin/ChangeLog 2012-10-22 02:43:16 +0000 @@ -1,3 +1,11 @@ +2012-10-22 Paul Eggert <eggert@cs.ucla.edu> + + Use faccessat, not access, when checking file permissions (Bug#12632). + * merge-gnulib (GNULIB_MODULES): Add faccessat. + (GNULIB_TOOL_FLAGS): Avoid at-internal, fchdir, malloc-posix, + openat-die, openat-h, save-cwd. Do not avoid fcntl-h. + Omit gnulib's m4/fcntl-o.m4. + 2012-10-12 Kenichi Handa <handa@gnu.org> * charsets/Makefile (JISC6226.map): Add missing mappings. === modified file 'admin/merge-gnulib' --- admin/merge-gnulib 2012-10-19 19:25:18 +0000 +++ admin/merge-gnulib 2012-10-20 01:13:35 +0000 @@ -28,7 +28,7 @@ GNULIB_MODULES=' alloca-opt c-ctype c-strcase careadlinkat crypto/md5 crypto/sha1 crypto/sha256 crypto/sha512 - dtoastr dtotimespec dup2 environ execinfo + dtoastr dtotimespec dup2 environ execinfo faccessat filemode getloadavg getopt-gnu gettime gettimeofday ignore-value intprops largefile lstat manywarnings mktime pselect pthread_sigmask readlink @@ -39,9 +39,12 @@ ' GNULIB_TOOL_FLAGS=' - --avoid=errno --avoid=fcntl --avoid=fcntl-h --avoid=fstat - --avoid=msvc-inval --avoid=msvc-nothrow - --avoid=raise --avoid=select --avoid=sigprocmask --avoid=sys_types + --avoid=at-internal + --avoid=errno --avoid=fchdir --avoid=fcntl --avoid=fstat + --avoid=malloc-posix --avoid=msvc-inval --avoid=msvc-nothrow + --avoid=openat-die --avoid=openat-h + --avoid=raise + --avoid=save-cwd --avoid=select --avoid=sigprocmask --avoid=sys_types --avoid=threadlib --conditional-dependencies --import --no-changelog --no-vc-files --makefile-name=gnulib.mk @@ -85,7 +88,7 @@ } "$gnulib_srcdir"/gnulib-tool --dir="$src" $GNULIB_TOOL_FLAGS $GNULIB_MODULES && -rm -- "$src"m4/gnulib-cache.m4 "$src"m4/warn-on-use.m4 && +rm -- "$src"m4/fcntl-o.m4 "$src"m4/gnulib-cache.m4 "$src"m4/warn-on-use.m4 && cp -- "$gnulib_srcdir"/build-aux/texinfo.tex "$src"doc/misc && cp -- "$gnulib_srcdir"/build-aux/move-if-change "$src"build-aux && autoreconf -i -I m4 -- ${src:+"$src"} === modified file 'configure.ac' --- configure.ac 2012-10-21 07:23:34 +0000 +++ configure.ac 2012-10-22 02:43:16 +0000 @@ -572,6 +572,8 @@ test "x$NON_GCC_TEST_OPTIONS" != x && CC="$CC $NON_GCC_TEST_OPTIONS" fi +# Avoid gnulib's tests for O_NOATIME and O_NOFOLLOW, as we don't use them. +AC_DEFUN([gl_FCNTL_O_FLAGS]) # Avoid gnulib's threadlib module, as we do threads our own way. AC_DEFUN([gl_THREADLIB]) @@ -2872,7 +2874,7 @@ AC_CHECK_FUNCS(gethostname \ closedir getrusage get_current_dir_name \ lrand48 setsid \ -fpathconf select euidaccess getpagesize setlocale \ +fpathconf select getpagesize setlocale \ utimes getrlimit setrlimit setpgid getcwd shutdown getaddrinfo \ __fpending strsignal setitimer \ sendto recvfrom getsockname getpeername getifaddrs freeifaddrs \ === added file 'lib/at-func.c' --- lib/at-func.c 1970-01-01 00:00:00 +0000 +++ lib/at-func.c 2012-10-15 06:05:46 +0000 @@ -0,0 +1,146 @@ +/* Define at-style functions like fstatat, unlinkat, fchownat, etc. + Copyright (C) 2006, 2009-2012 Free Software Foundation, Inc. + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. */ + +/* written by Jim Meyering */ + +#include "dosname.h" /* solely for definition of IS_ABSOLUTE_FILE_NAME */ + +#ifdef GNULIB_SUPPORT_ONLY_AT_FDCWD +# include <errno.h> +# ifndef ENOTSUP +# define ENOTSUP EINVAL +# endif +#else +# include "openat.h" +# include "openat-priv.h" +# include "save-cwd.h" +#endif + +#ifdef AT_FUNC_USE_F1_COND +# define CALL_FUNC(F) \ + (flag == AT_FUNC_USE_F1_COND \ + ? AT_FUNC_F1 (F AT_FUNC_POST_FILE_ARGS) \ + : AT_FUNC_F2 (F AT_FUNC_POST_FILE_ARGS)) +# define VALIDATE_FLAG(F) \ + if (flag & ~AT_FUNC_USE_F1_COND) \ + { \ + errno = EINVAL; \ + return FUNC_FAIL; \ + } +#else +# define CALL_FUNC(F) (AT_FUNC_F1 (F AT_FUNC_POST_FILE_ARGS)) +# define VALIDATE_FLAG(F) /* empty */ +#endif + +#ifdef AT_FUNC_RESULT +# define FUNC_RESULT AT_FUNC_RESULT +#else +# define FUNC_RESULT int +#endif + +#ifdef AT_FUNC_FAIL +# define FUNC_FAIL AT_FUNC_FAIL +#else +# define FUNC_FAIL -1 +#endif + +/* Call AT_FUNC_F1 to operate on FILE, which is in the directory + open on descriptor FD. If AT_FUNC_USE_F1_COND is defined to a value, + AT_FUNC_POST_FILE_PARAM_DECLS must include a parameter named flag; + call AT_FUNC_F2 if FLAG is 0 or fail if FLAG contains more bits than + AT_FUNC_USE_F1_COND. Return int and fail with -1 unless AT_FUNC_RESULT + or AT_FUNC_FAIL are defined. If possible, do it without changing the + working directory. Otherwise, resort to using save_cwd/fchdir, + then AT_FUNC_F?/restore_cwd. If either the save_cwd or the restore_cwd + fails, then give a diagnostic and exit nonzero. */ +FUNC_RESULT +AT_FUNC_NAME (int fd, char const *file AT_FUNC_POST_FILE_PARAM_DECLS) +{ + VALIDATE_FLAG (flag); + + if (fd == AT_FDCWD || IS_ABSOLUTE_FILE_NAME (file)) + return CALL_FUNC (file); + +#ifdef GNULIB_SUPPORT_ONLY_AT_FDCWD + errno = ENOTSUP; + return FUNC_FAIL; +#else + { + /* Be careful to choose names unlikely to conflict with + AT_FUNC_POST_FILE_PARAM_DECLS. */ + struct saved_cwd saved_cwd; + int saved_errno; + FUNC_RESULT err; + + { + char proc_buf[OPENAT_BUFFER_SIZE]; + char *proc_file = openat_proc_name (proc_buf, fd, file); + if (proc_file) + { + FUNC_RESULT proc_result = CALL_FUNC (proc_file); + int proc_errno = errno; + if (proc_file != proc_buf) + free (proc_file); + /* If the syscall succeeds, or if it fails with an unexpected + errno value, then return right away. Otherwise, fall through + and resort to using save_cwd/restore_cwd. */ + if (FUNC_FAIL != proc_result) + return proc_result; + if (! EXPECTED_ERRNO (proc_errno)) + { + errno = proc_errno; + return proc_result; + } + } + } + + if (save_cwd (&saved_cwd) != 0) + openat_save_fail (errno); + if (0 <= fd && fd == saved_cwd.desc) + { + /* If saving the working directory collides with the user's + requested fd, then the user's fd must have been closed to + begin with. */ + free_cwd (&saved_cwd); + errno = EBADF; + return FUNC_FAIL; + } + + if (fchdir (fd) != 0) + { + saved_errno = errno; + free_cwd (&saved_cwd); + errno = saved_errno; + return FUNC_FAIL; + } + + err = CALL_FUNC (file); + saved_errno = (err == FUNC_FAIL ? errno : 0); + + if (restore_cwd (&saved_cwd) != 0) + openat_restore_fail (errno); + + free_cwd (&saved_cwd); + + if (saved_errno) + errno = saved_errno; + return err; + } +#endif +} +#undef CALL_FUNC +#undef FUNC_RESULT +#undef FUNC_FAIL === added file 'lib/euidaccess.c' --- lib/euidaccess.c 1970-01-01 00:00:00 +0000 +++ lib/euidaccess.c 2012-10-12 23:28:31 +0000 @@ -0,0 +1,221 @@ +/* euidaccess -- check if effective user id can access file + + Copyright (C) 1990-1991, 1995, 1998, 2000, 2003-2006, 2008-2012 Free + Software Foundation, Inc. + + This file is part of the GNU C Library. + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. */ + +/* Written by David MacKenzie and Torbjorn Granlund. + Adapted for GNU C library by Roland McGrath. */ + +#ifndef _LIBC +# include <config.h> +#endif + +#include <fcntl.h> +#include <sys/types.h> +#include <sys/stat.h> +#include <unistd.h> + +#include "root-uid.h" + +#if HAVE_LIBGEN_H +# include <libgen.h> +#endif + +#include <errno.h> +#ifndef __set_errno +# define __set_errno(val) errno = (val) +#endif + +#if defined EACCES && !defined EACCESS +# define EACCESS EACCES +#endif + +#ifndef F_OK +# define F_OK 0 +# define X_OK 1 +# define W_OK 2 +# define R_OK 4 +#endif + + +#ifdef _LIBC + +# define access __access +# define getuid __getuid +# define getgid __getgid +# define geteuid __geteuid +# define getegid __getegid +# define group_member __group_member +# define euidaccess __euidaccess +# undef stat +# define stat stat64 + +#endif + +/* Return 0 if the user has permission of type MODE on FILE; + otherwise, return -1 and set 'errno'. + Like access, except that it uses the effective user and group + id's instead of the real ones, and it does not always check for read-only + file system, text busy, etc. */ + +int +euidaccess (const char *file, int mode) +{ +#if HAVE_FACCESSAT /* glibc, AIX 7, Solaris 11, Cygwin 1.7 */ + return faccessat (AT_FDCWD, file, mode, AT_EACCESS); +#elif defined EFF_ONLY_OK /* IRIX, OSF/1, Interix */ + return access (file, mode | EFF_ONLY_OK); +#elif defined ACC_SELF /* AIX */ + return accessx (file, mode, ACC_SELF); +#elif HAVE_EACCESS /* FreeBSD */ + return eaccess (file, mode); +#else /* Mac OS X, NetBSD, OpenBSD, HP-UX, Solaris, Cygwin, mingw, BeOS */ + + uid_t uid = getuid (); + gid_t gid = getgid (); + uid_t euid = geteuid (); + gid_t egid = getegid (); + struct stat stats; + +# if HAVE_DECL_SETREGID && PREFER_NONREENTRANT_EUIDACCESS + + /* Define PREFER_NONREENTRANT_EUIDACCESS if you prefer euidaccess to + return the correct result even if this would make it + nonreentrant. Define this only if your entire application is + safe even if the uid or gid might temporarily change. If your + application uses signal handlers or threads it is probably not + safe. */ + + if (mode == F_OK) + return stat (file, &stats); + else + { + int result; + int saved_errno; + + if (uid != euid) + setreuid (euid, uid); + if (gid != egid) + setregid (egid, gid); + + result = access (file, mode); + saved_errno = errno; + + /* Restore them. */ + if (uid != euid) + setreuid (uid, euid); + if (gid != egid) + setregid (gid, egid); + + errno = saved_errno; + return result; + } + +# else + + /* The following code assumes the traditional Unix model, and is not + correct on systems that have ACLs or the like. However, it's + better than nothing, and it is reentrant. */ + + unsigned int granted; + if (uid == euid && gid == egid) + /* If we are not set-uid or set-gid, access does the same. */ + return access (file, mode); + + if (stat (file, &stats) != 0) + return -1; + + /* The super-user can read and write any file, and execute any file + that anyone can execute. */ + if (euid == ROOT_UID + && ((mode & X_OK) == 0 + || (stats.st_mode & (S_IXUSR | S_IXGRP | S_IXOTH)))) + return 0; + + /* Convert the mode to traditional form, clearing any bogus bits. */ + if (R_OK == 4 && W_OK == 2 && X_OK == 1 && F_OK == 0) + mode &= 7; + else + mode = ((mode & R_OK ? 4 : 0) + + (mode & W_OK ? 2 : 0) + + (mode & X_OK ? 1 : 0)); + + if (mode == 0) + return 0; /* The file exists. */ + + /* Convert the file's permission bits to traditional form. */ + if (S_IRUSR == (4 << 6) && S_IWUSR == (2 << 6) && S_IXUSR == (1 << 6) + && S_IRGRP == (4 << 3) && S_IWGRP == (2 << 3) && S_IXGRP == (1 << 3) + && S_IROTH == (4 << 0) && S_IWOTH == (2 << 0) && S_IXOTH == (1 << 0)) + granted = stats.st_mode; + else + granted = ((stats.st_mode & S_IRUSR ? 4 << 6 : 0) + + (stats.st_mode & S_IWUSR ? 2 << 6 : 0) + + (stats.st_mode & S_IXUSR ? 1 << 6 : 0) + + (stats.st_mode & S_IRGRP ? 4 << 3 : 0) + + (stats.st_mode & S_IWGRP ? 2 << 3 : 0) + + (stats.st_mode & S_IXGRP ? 1 << 3 : 0) + + (stats.st_mode & S_IROTH ? 4 << 0 : 0) + + (stats.st_mode & S_IWOTH ? 2 << 0 : 0) + + (stats.st_mode & S_IXOTH ? 1 << 0 : 0)); + + if (euid == stats.st_uid) + granted >>= 6; + else if (egid == stats.st_gid || group_member (stats.st_gid)) + granted >>= 3; + + if ((mode & ~granted) == 0) + return 0; + __set_errno (EACCESS); + return -1; + +# endif +#endif +} +#undef euidaccess +#ifdef weak_alias +weak_alias (__euidaccess, euidaccess) +#endif +\f +#ifdef TEST +# include <error.h> +# include <stdio.h> +# include <stdlib.h> + +char *program_name; + +int +main (int argc, char **argv) +{ + char *file; + int mode; + int err; + + program_name = argv[0]; + if (argc < 3) + abort (); + file = argv[1]; + mode = atoi (argv[2]); + + err = euidaccess (file, mode); + printf ("%d\n", err); + if (err != 0) + error (0, errno, "%s", file); + exit (0); +} +#endif === added file 'lib/faccessat.c' --- lib/faccessat.c 1970-01-01 00:00:00 +0000 +++ lib/faccessat.c 2012-10-15 06:05:46 +0000 @@ -0,0 +1,45 @@ +/* Check the access rights of a file relative to an open directory. + Copyright (C) 2009-2012 Free Software Foundation, Inc. + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. */ + +/* written by Eric Blake */ + +#include <config.h> + +#include <unistd.h> +#include <fcntl.h> + +#ifndef HAVE_ACCESS +/* Mingw lacks access, but it also lacks real vs. effective ids, so + the gnulib euidaccess module is good enough. */ +# undef access +# define access euidaccess +#endif + +/* Invoke access or euidaccess on file, FILE, using mode MODE, in the directory + open on descriptor FD. If possible, do it without changing the + working directory. Otherwise, resort to using save_cwd/fchdir, then + (access|euidaccess)/restore_cwd. If either the save_cwd or the + restore_cwd fails, then give a diagnostic and exit nonzero. + Note that this implementation only supports AT_EACCESS, although some + native versions also support AT_SYMLINK_NOFOLLOW. */ + +#define AT_FUNC_NAME faccessat +#define AT_FUNC_F1 euidaccess +#define AT_FUNC_F2 access +#define AT_FUNC_USE_F1_COND AT_EACCESS +#define AT_FUNC_POST_FILE_PARAM_DECLS , int mode, int flag +#define AT_FUNC_POST_FILE_ARGS , mode +#include "at-func.c" === added file 'lib/fcntl.in.h' --- lib/fcntl.in.h 1970-01-01 00:00:00 +0000 +++ lib/fcntl.in.h 2012-10-16 01:07:08 +0000 @@ -0,0 +1,347 @@ +/* Like <fcntl.h>, but with non-working flags defined to 0. + + Copyright (C) 2006-2012 Free Software Foundation, Inc. + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. */ + +/* written by Paul Eggert */ + +#if __GNUC__ >= 3 +@PRAGMA_SYSTEM_HEADER@ +#endif +@PRAGMA_COLUMNS@ + +#if defined __need_system_fcntl_h +/* Special invocation convention. */ + +/* Needed before <sys/stat.h>. + May also define off_t to a 64-bit type on native Windows. */ +#include <sys/types.h> +/* On some systems other than glibc, <sys/stat.h> is a prerequisite of + <fcntl.h>. On glibc systems, we would like to avoid namespace pollution. + But on glibc systems, <fcntl.h> includes <sys/stat.h> inside an + extern "C" { ... } block, which leads to errors in C++ mode with the + overridden <sys/stat.h> from gnulib. These errors are known to be gone + with g++ version >= 4.3. */ +#if !(defined __GLIBC__ || defined __UCLIBC__) || (defined __cplusplus && defined GNULIB_NAMESPACE && !(__GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 3))) +# include <sys/stat.h> +#endif +#@INCLUDE_NEXT@ @NEXT_FCNTL_H@ + +#else +/* Normal invocation convention. */ + +#ifndef _@GUARD_PREFIX@_FCNTL_H + +/* Needed before <sys/stat.h>. + May also define off_t to a 64-bit type on native Windows. */ +#include <sys/types.h> +/* On some systems other than glibc, <sys/stat.h> is a prerequisite of + <fcntl.h>. On glibc systems, we would like to avoid namespace pollution. + But on glibc systems, <fcntl.h> includes <sys/stat.h> inside an + extern "C" { ... } block, which leads to errors in C++ mode with the + overridden <sys/stat.h> from gnulib. These errors are known to be gone + with g++ version >= 4.3. */ +#if !(defined __GLIBC__ || defined __UCLIBC__) || (defined __cplusplus && defined GNULIB_NAMESPACE && !(__GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 3))) +# include <sys/stat.h> +#endif +/* The include_next requires a split double-inclusion guard. */ +#@INCLUDE_NEXT@ @NEXT_FCNTL_H@ + +#ifndef _@GUARD_PREFIX@_FCNTL_H +#define _@GUARD_PREFIX@_FCNTL_H + +#ifndef __GLIBC__ /* Avoid namespace pollution on glibc systems. */ +# include <unistd.h> +#endif + +/* Native Windows platforms declare open(), creat() in <io.h>. */ +#if (@GNULIB_OPEN@ || defined GNULIB_POSIXCHECK) \ + && ((defined _WIN32 || defined __WIN32__) && ! defined __CYGWIN__) +# include <io.h> +#endif + + +/* The definitions of _GL_FUNCDECL_RPL etc. are copied here. */ + +/* The definition of _GL_ARG_NONNULL is copied here. */ + +/* The definition of _GL_WARN_ON_USE is copied here. */ + + +/* Declare overridden functions. */ + +#if @GNULIB_FCNTL@ +# if @REPLACE_FCNTL@ +# if !(defined __cplusplus && defined GNULIB_NAMESPACE) +# undef fcntl +# define fcntl rpl_fcntl +# endif +_GL_FUNCDECL_RPL (fcntl, int, (int fd, int action, ...)); +_GL_CXXALIAS_RPL (fcntl, int, (int fd, int action, ...)); +# else +# if !@HAVE_FCNTL@ +_GL_FUNCDECL_SYS (fcntl, int, (int fd, int action, ...)); +# endif +_GL_CXXALIAS_SYS (fcntl, int, (int fd, int action, ...)); +# endif +_GL_CXXALIASWARN (fcntl); +#elif defined GNULIB_POSIXCHECK +# undef fcntl +# if HAVE_RAW_DECL_FCNTL +_GL_WARN_ON_USE (fcntl, "fcntl is not always POSIX compliant - " + "use gnulib module fcntl for portability"); +# endif +#endif + +#if @GNULIB_OPEN@ +# if @REPLACE_OPEN@ +# if !(defined __cplusplus && defined GNULIB_NAMESPACE) +# undef open +# define open rpl_open +# endif +_GL_FUNCDECL_RPL (open, int, (const char *filename, int flags, ...) + _GL_ARG_NONNULL ((1))); +_GL_CXXALIAS_RPL (open, int, (const char *filename, int flags, ...)); +# else +_GL_CXXALIAS_SYS (open, int, (const char *filename, int flags, ...)); +# endif +/* On HP-UX 11, in C++ mode, open() is defined as an inline function with a + default argument. _GL_CXXALIASWARN does not work in this case. */ +# if !defined __hpux +_GL_CXXALIASWARN (open); +# endif +#elif defined GNULIB_POSIXCHECK +# undef open +/* Assume open is always declared. */ +_GL_WARN_ON_USE (open, "open is not always POSIX compliant - " + "use gnulib module open for portability"); +#endif + +#if @GNULIB_OPENAT@ +# if @REPLACE_OPENAT@ +# if !(defined __cplusplus && defined GNULIB_NAMESPACE) +# undef openat +# define openat rpl_openat +# endif +_GL_FUNCDECL_RPL (openat, int, + (int fd, char const *file, int flags, /* mode_t mode */ ...) + _GL_ARG_NONNULL ((2))); +_GL_CXXALIAS_RPL (openat, int, + (int fd, char const *file, int flags, /* mode_t mode */ ...)); +# else +# if !@HAVE_OPENAT@ +_GL_FUNCDECL_SYS (openat, int, + (int fd, char const *file, int flags, /* mode_t mode */ ...) + _GL_ARG_NONNULL ((2))); +# endif +_GL_CXXALIAS_SYS (openat, int, + (int fd, char const *file, int flags, /* mode_t mode */ ...)); +# endif +_GL_CXXALIASWARN (openat); +#elif defined GNULIB_POSIXCHECK +# undef openat +# if HAVE_RAW_DECL_OPENAT +_GL_WARN_ON_USE (openat, "openat is not portable - " + "use gnulib module openat for portability"); +# endif +#endif + + +/* Fix up the FD_* macros, only known to be missing on mingw. */ + +#ifndef FD_CLOEXEC +# define FD_CLOEXEC 1 +#endif + +/* Fix up the supported F_* macros. Intentionally leave other F_* + macros undefined. Only known to be missing on mingw. */ + +#ifndef F_DUPFD_CLOEXEC +# define F_DUPFD_CLOEXEC 0x40000000 +/* Witness variable: 1 if gnulib defined F_DUPFD_CLOEXEC, 0 otherwise. */ +# define GNULIB_defined_F_DUPFD_CLOEXEC 1 +#else +# define GNULIB_defined_F_DUPFD_CLOEXEC 0 +#endif + +#ifndef F_DUPFD +# define F_DUPFD 1 +#endif + +#ifndef F_GETFD +# define F_GETFD 2 +#endif + +/* Fix up the O_* macros. */ + +#if !defined O_DIRECT && defined O_DIRECTIO +/* Tru64 spells it 'O_DIRECTIO'. */ +# define O_DIRECT O_DIRECTIO +#endif + +#if !defined O_CLOEXEC && defined O_NOINHERIT +/* Mingw spells it 'O_NOINHERIT'. */ +# define O_CLOEXEC O_NOINHERIT +#endif + +#ifndef O_CLOEXEC +# define O_CLOEXEC 0 +#endif + +#ifndef O_DIRECT +# define O_DIRECT 0 +#endif + +#ifndef O_DIRECTORY +# define O_DIRECTORY 0 +#endif + +#ifndef O_DSYNC +# define O_DSYNC 0 +#endif + +#ifndef O_EXEC +# define O_EXEC O_RDONLY /* This is often close enough in older systems. */ +#endif + +#ifndef O_IGNORE_CTTY +# define O_IGNORE_CTTY 0 +#endif + +#ifndef O_NDELAY +# define O_NDELAY 0 +#endif + +#ifndef O_NOATIME +# define O_NOATIME 0 +#endif + +#ifndef O_NONBLOCK +# define O_NONBLOCK O_NDELAY +#endif + +/* If the gnulib module 'nonblocking' is in use, guarantee a working non-zero + value of O_NONBLOCK. Otherwise, O_NONBLOCK is defined (above) to O_NDELAY + or to 0 as fallback. */ +#if @GNULIB_NONBLOCKING@ +# if O_NONBLOCK +# define GNULIB_defined_O_NONBLOCK 0 +# else +# define GNULIB_defined_O_NONBLOCK 1 +# undef O_NONBLOCK +# define O_NONBLOCK 0x40000000 +# endif +#endif + +#ifndef O_NOCTTY +# define O_NOCTTY 0 +#endif + +#ifndef O_NOFOLLOW +# define O_NOFOLLOW 0 +#endif + +#ifndef O_NOLINK +# define O_NOLINK 0 +#endif + +#ifndef O_NOLINKS +# define O_NOLINKS 0 +#endif + +#ifndef O_NOTRANS +# define O_NOTRANS 0 +#endif + +#ifndef O_RSYNC +# define O_RSYNC 0 +#endif + +#ifndef O_SEARCH +# define O_SEARCH O_RDONLY /* This is often close enough in older systems. */ +#endif + +#ifndef O_SYNC +# define O_SYNC 0 +#endif + +#ifndef O_TTY_INIT +# define O_TTY_INIT 0 +#endif + +#if O_ACCMODE != (O_RDONLY | O_WRONLY | O_RDWR | O_EXEC | O_SEARCH) +# undef O_ACCMODE +# define O_ACCMODE (O_RDONLY | O_WRONLY | O_RDWR | O_EXEC | O_SEARCH) +#endif + +/* For systems that distinguish between text and binary I/O. + O_BINARY is usually declared in fcntl.h */ +#if !defined O_BINARY && defined _O_BINARY + /* For MSC-compatible compilers. */ +# define O_BINARY _O_BINARY +# define O_TEXT _O_TEXT +#endif + +#if defined __BEOS__ || defined __HAIKU__ + /* BeOS 5 and Haiku have O_BINARY and O_TEXT, but they have no effect. */ +# undef O_BINARY +# undef O_TEXT +#endif + +#ifndef O_BINARY +# define O_BINARY 0 +# define O_TEXT 0 +#endif + +/* Fix up the AT_* macros. */ + +/* Work around a bug in Solaris 9 and 10: AT_FDCWD is positive. Its + value exceeds INT_MAX, so its use as an int doesn't conform to the + C standard, and GCC and Sun C complain in some cases. If the bug + is present, undef AT_FDCWD here, so it can be redefined below. */ +#if 0 < AT_FDCWD && AT_FDCWD == 0xffd19553 +# undef AT_FDCWD +#endif + +/* Use the same bit pattern as Solaris 9, but with the proper + signedness. The bit pattern is important, in case this actually is + Solaris with the above workaround. */ +#ifndef AT_FDCWD +# define AT_FDCWD (-3041965) +#endif + +/* Use the same values as Solaris 9. This shouldn't matter, but + there's no real reason to differ. */ +#ifndef AT_SYMLINK_NOFOLLOW +# define AT_SYMLINK_NOFOLLOW 4096 +#endif + +#ifndef AT_REMOVEDIR +# define AT_REMOVEDIR 1 +#endif + +/* Solaris 9 lacks these two, so just pick unique values. */ +#ifndef AT_SYMLINK_FOLLOW +# define AT_SYMLINK_FOLLOW 2 +#endif + +#ifndef AT_EACCESS +# define AT_EACCESS 4 +#endif + + +#endif /* _@GUARD_PREFIX@_FCNTL_H */ +#endif /* _@GUARD_PREFIX@_FCNTL_H */ +#endif === added file 'lib/getgroups.c' --- lib/getgroups.c 1970-01-01 00:00:00 +0000 +++ lib/getgroups.c 2012-10-12 23:28:31 +0000 @@ -0,0 +1,116 @@ +/* provide consistent interface to getgroups for systems that don't allow N==0 + + Copyright (C) 1996, 1999, 2003, 2006-2012 Free Software Foundation, Inc. + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. */ + +/* written by Jim Meyering */ + +#include <config.h> + +#include <unistd.h> + +#include <errno.h> +#include <stdlib.h> +#include <stdint.h> + +#if !HAVE_GETGROUPS + +/* Provide a stub that fails with ENOSYS, since there is no group + information available on mingw. */ +int +getgroups (int n _GL_UNUSED, GETGROUPS_T *groups _GL_UNUSED) +{ + errno = ENOSYS; + return -1; +} + +#else /* HAVE_GETGROUPS */ + +# undef getgroups +# ifndef GETGROUPS_ZERO_BUG +# define GETGROUPS_ZERO_BUG 0 +# endif + +/* On at least Ultrix 4.3 and NextStep 3.2, getgroups (0, NULL) always + fails. On other systems, it returns the number of supplemental + groups for the process. This function handles that special case + and lets the system-provided function handle all others. However, + it can fail with ENOMEM if memory is tight. It is unspecified + whether the effective group id is included in the list. */ + +int +rpl_getgroups (int n, gid_t *group) +{ + int n_groups; + GETGROUPS_T *gbuf; + int saved_errno; + + if (n < 0) + { + errno = EINVAL; + return -1; + } + + if (n != 0 || !GETGROUPS_ZERO_BUG) + { + int result; + if (sizeof *group == sizeof *gbuf) + return getgroups (n, (GETGROUPS_T *) group); + + if (SIZE_MAX / sizeof *gbuf <= n) + { + errno = ENOMEM; + return -1; + } + gbuf = malloc (n * sizeof *gbuf); + if (!gbuf) + return -1; + result = getgroups (n, gbuf); + if (0 <= result) + { + n = result; + while (n--) + group[n] = gbuf[n]; + } + saved_errno = errno; + free (gbuf); + errno == saved_errno; + return result; + } + + n = 20; + while (1) + { + /* No need to worry about address arithmetic overflow here, + since the ancient systems that we're running on have low + limits on the number of secondary groups. */ + gbuf = malloc (n * sizeof *gbuf); + if (!gbuf) + return -1; + n_groups = getgroups (n, gbuf); + if (n_groups == -1 ? errno != EINVAL : n_groups < n) + break; + free (gbuf); + n *= 2; + } + + saved_errno = errno; + free (gbuf); + errno = saved_errno; + + return n_groups; +} + +#endif /* HAVE_GETGROUPS */ === modified file 'lib/gnulib.mk' --- lib/gnulib.mk 2012-10-19 19:25:18 +0000 +++ lib/gnulib.mk 2012-10-20 01:13:35 +0000 @@ -21,7 +21,7 @@ # the same distribution terms as the rest of that program. # # Generated by gnulib-tool. -# Reproduce by: gnulib-tool --import --dir=. --lib=libgnu --source-base=lib --m4-base=m4 --doc-base=doc --tests-base=tests --aux-dir=build-aux --avoid=errno --avoid=fcntl --avoid=fcntl-h --avoid=fstat --avoid=msvc-inval --avoid=msvc-nothrow --avoid=raise --avoid=select --avoid=sigprocmask --avoid=sys_types --avoid=threadlib --makefile-name=gnulib.mk --conditional-dependencies --no-libtool --macro-prefix=gl --no-vc-files alloca-opt c-ctype c-strcase careadlinkat crypto/md5 crypto/sha1 crypto/sha256 crypto/sha512 dtoastr dtotimespec dup2 environ execinfo filemode getloadavg getopt-gnu gettime gettimeofday ignore-value intprops largefile lstat manywarnings mktime pselect pthread_sigmask readlink socklen stat-time stdalign stdarg stdbool stdio strftime strtoimax strtoumax symlink sys_stat sys_time time timer-time timespec-add timespec-sub utimens warnings +# Reproduce by: gnulib-tool --import --dir=. --lib=libgnu --source-base=lib --m4-base=m4 --doc-base=doc --tests-base=tests --aux-dir=build-aux --avoid=at-internal --avoid=errno --avoid=fchdir --avoid=fcntl --avoid=fstat --avoid=malloc-posix --avoid=msvc-inval --avoid=msvc-nothrow --avoid=openat-die --avoid=openat-h --avoid=raise --avoid=save-cwd --avoid=select --avoid=sigprocmask --avoid=sys_types --avoid=threadlib --makefile-name=gnulib.mk --conditional-dependencies --no-libtool --macro-prefix=gl --no-vc-files alloca-opt c-ctype c-strcase careadlinkat crypto/md5 crypto/sha1 crypto/sha256 crypto/sha512 dtoastr dtotimespec dup2 environ execinfo faccessat filemode getloadavg getopt-gnu gettime gettimeofday ignore-value intprops largefile lstat manywarnings mktime pselect pthread_sigmask readlink socklen stat-time stdalign stdarg stdbool stdio strftime strtoimax strtoumax symlink sys_stat sys_time time timer-time timespec-add timespec-sub utimens warnings MOSTLYCLEANFILES += core *.stackdump @@ -150,6 +150,17 @@ ## end gnulib module dup2 +## begin gnulib module euidaccess + +if gl_GNULIB_ENABLED_euidaccess + +endif +EXTRA_DIST += euidaccess.c + +EXTRA_libgnu_a_SOURCES += euidaccess.c + +## end gnulib module euidaccess + ## begin gnulib module execinfo BUILT_SOURCES += $(EXECINFO_H) @@ -175,6 +186,50 @@ ## end gnulib module execinfo +## begin gnulib module faccessat + + +EXTRA_DIST += at-func.c faccessat.c + +EXTRA_libgnu_a_SOURCES += at-func.c faccessat.c + +## end gnulib module faccessat + +## begin gnulib module fcntl-h + +BUILT_SOURCES += fcntl.h + +# We need the following in order to create <fcntl.h> when the system +# doesn't have one that works with the given compiler. +fcntl.h: fcntl.in.h $(top_builddir)/config.status $(CXXDEFS_H) $(ARG_NONNULL_H) $(WARN_ON_USE_H) + $(AM_V_GEN)rm -f $@-t $@ && \ + { echo '/* DO NOT EDIT! GENERATED AUTOMATICALLY! */'; \ + sed -e 's|@''GUARD_PREFIX''@|GL|g' \ + -e 's|@''INCLUDE_NEXT''@|$(INCLUDE_NEXT)|g' \ + -e 's|@''PRAGMA_SYSTEM_HEADER''@|@PRAGMA_SYSTEM_HEADER@|g' \ + -e 's|@''PRAGMA_COLUMNS''@|@PRAGMA_COLUMNS@|g' \ + -e 's|@''NEXT_FCNTL_H''@|$(NEXT_FCNTL_H)|g' \ + -e 's/@''GNULIB_FCNTL''@/$(GNULIB_FCNTL)/g' \ + -e 's/@''GNULIB_NONBLOCKING''@/$(GNULIB_NONBLOCKING)/g' \ + -e 's/@''GNULIB_OPEN''@/$(GNULIB_OPEN)/g' \ + -e 's/@''GNULIB_OPENAT''@/$(GNULIB_OPENAT)/g' \ + -e 's|@''HAVE_FCNTL''@|$(HAVE_FCNTL)|g' \ + -e 's|@''HAVE_OPENAT''@|$(HAVE_OPENAT)|g' \ + -e 's|@''REPLACE_FCNTL''@|$(REPLACE_FCNTL)|g' \ + -e 's|@''REPLACE_OPEN''@|$(REPLACE_OPEN)|g' \ + -e 's|@''REPLACE_OPENAT''@|$(REPLACE_OPENAT)|g' \ + -e '/definitions of _GL_FUNCDECL_RPL/r $(CXXDEFS_H)' \ + -e '/definition of _GL_ARG_NONNULL/r $(ARG_NONNULL_H)' \ + -e '/definition of _GL_WARN_ON_USE/r $(WARN_ON_USE_H)' \ + < $(srcdir)/fcntl.in.h; \ + } > $@-t && \ + mv $@-t $@ +MOSTLYCLEANFILES += fcntl.h fcntl.h-t + +EXTRA_DIST += fcntl.in.h + +## end gnulib module fcntl-h + ## begin gnulib module filemode libgnu_a_SOURCES += filemode.c @@ -183,6 +238,17 @@ ## end gnulib module filemode +## begin gnulib module getgroups + +if gl_GNULIB_ENABLED_getgroups + +endif +EXTRA_DIST += getgroups.c + +EXTRA_libgnu_a_SOURCES += getgroups.c + +## end gnulib module getgroups + ## begin gnulib module getloadavg @@ -242,6 +308,17 @@ ## end gnulib module gettimeofday +## begin gnulib module group-member + +if gl_GNULIB_ENABLED_a9786850e999ae65a836a6041e8e5ed1 + +endif +EXTRA_DIST += group-member.c + +EXTRA_libgnu_a_SOURCES += group-member.c + +## end gnulib module group-member + ## begin gnulib module ignore-value @@ -354,6 +431,15 @@ ## end gnulib module readlink +## begin gnulib module root-uid + +if gl_GNULIB_ENABLED_6099e9737f757db36c47fa9d9f02e88c + +endif +EXTRA_DIST += root-uid.h + +## end gnulib module root-uid + ## begin gnulib module signal-h BUILT_SOURCES += signal.h @@ -1312,6 +1398,15 @@ ## end gnulib module verify +## begin gnulib module xalloc-oversized + +if gl_GNULIB_ENABLED_682e609604ccaac6be382e4ee3a4eaec + +endif +EXTRA_DIST += xalloc-oversized.h + +## end gnulib module xalloc-oversized + mostlyclean-local: mostlyclean-generic @for dir in '' $(MOSTLYCLEANDIRS); do \ === added file 'lib/group-member.c' --- lib/group-member.c 1970-01-01 00:00:00 +0000 +++ lib/group-member.c 2012-10-12 23:28:31 +0000 @@ -0,0 +1,119 @@ +/* group-member.c -- determine whether group id is in calling user's group list + + Copyright (C) 1994, 1997-1998, 2003, 2005-2006, 2009-2012 Free Software + Foundation, Inc. + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. */ + +#include <config.h> + +/* Specification. */ +#include <unistd.h> + +#include <stdio.h> +#include <sys/types.h> +#include <stdlib.h> + +#include "xalloc-oversized.h" + +/* Most processes have no more than this many groups, and for these + processes we can avoid using malloc. */ +enum { GROUPBUF_SIZE = 100 }; + +struct group_info + { + gid_t *group; + gid_t groupbuf[GROUPBUF_SIZE]; + }; + +static void +free_group_info (struct group_info const *g) +{ + if (g->group != g->groupbuf) + free (g->group); +} + +static int +get_group_info (struct group_info *gi) +{ + int n_groups = getgroups (GROUPBUF_SIZE, gi->groupbuf); + gi->group = gi->groupbuf; + + if (n_groups < 0) + { + int n_group_slots = getgroups (0, NULL); + if (0 <= n_group_slots + && ! xalloc_oversized (n_group_slots, sizeof *gi->group)) + { + gi->group = malloc (n_group_slots * sizeof *gi->group); + if (gi->group) + n_groups = getgroups (n_group_slots, gi->group); + } + } + + /* In case of error, the user loses. */ + return n_groups; +} + +/* Return non-zero if GID is one that we have in our groups list. + Note that the groups list is not guaranteed to contain the current + or effective group ID, so they should generally be checked + separately. */ + +int +group_member (gid_t gid) +{ + int i; + int found; + struct group_info gi; + int n_groups = get_group_info (&gi); + + /* Search through the list looking for GID. */ + found = 0; + for (i = 0; i < n_groups; i++) + { + if (gid == gi.group[i]) + { + found = 1; + break; + } + } + + free_group_info (&gi); + + return found; +} + +#ifdef TEST + +char *program_name; + +int +main (int argc, char **argv) +{ + int i; + + program_name = argv[0]; + + for (i = 1; i < argc; i++) + { + gid_t gid; + + gid = atoi (argv[i]); + printf ("%d: %s\n", gid, group_member (gid) ? "yes" : "no"); + } + exit (0); +} + +#endif /* TEST */ === added file 'lib/root-uid.h' --- lib/root-uid.h 1970-01-01 00:00:00 +0000 +++ lib/root-uid.h 2012-10-12 23:28:31 +0000 @@ -0,0 +1,30 @@ +/* The user ID that always has appropriate privileges in the POSIX sense. + + Copyright 2012 Free Software Foundation, Inc. + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. + + Written by Paul Eggert. */ + +#ifndef ROOT_UID_H_ +#define ROOT_UID_H_ + +/* The user ID that always has appropriate privileges in the POSIX sense. */ +#ifdef __TANDEM +# define ROOT_UID 65535 +#else +# define ROOT_UID 0 +#endif + +#endif === added file 'lib/xalloc-oversized.h' --- lib/xalloc-oversized.h 1970-01-01 00:00:00 +0000 +++ lib/xalloc-oversized.h 2012-10-12 23:28:31 +0000 @@ -0,0 +1,38 @@ +/* xalloc-oversized.h -- memory allocation size checking + + Copyright (C) 1990-2000, 2003-2004, 2006-2012 Free Software Foundation, Inc. + + This program is free software: you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/>. */ + +#ifndef XALLOC_OVERSIZED_H_ +# define XALLOC_OVERSIZED_H_ + +# include <stddef.h> + +/* Return 1 if an array of N objects, each of size S, cannot exist due + to size arithmetic overflow. S must be positive and N must be + nonnegative. This is a macro, not a function, so that it + works correctly even when SIZE_MAX < N. + + By gnulib convention, SIZE_MAX represents overflow in size + calculations, so the conservative dividend to use here is + SIZE_MAX - 1, since SIZE_MAX might represent an overflowed value. + However, malloc (SIZE_MAX) fails on all known hosts where + sizeof (ptrdiff_t) <= sizeof (size_t), so do not bother to test for + exactly-SIZE_MAX allocations on such hosts; this avoids a test and + branch when S is known to be 1. */ +# define xalloc_oversized(n, s) \ + ((size_t) (sizeof (ptrdiff_t) <= sizeof (size_t) ? -1 : -2) / (s) < (n)) + +#endif /* !XALLOC_OVERSIZED_H_ */ === added file 'm4/euidaccess.m4' --- m4/euidaccess.m4 1970-01-01 00:00:00 +0000 +++ m4/euidaccess.m4 2012-10-17 02:11:22 +0000 @@ -0,0 +1,52 @@ +# euidaccess.m4 serial 15 +dnl Copyright (C) 2002-2012 Free Software Foundation, Inc. +dnl This file is free software; the Free Software Foundation +dnl gives unlimited permission to copy and/or distribute it, +dnl with or without modifications, as long as this notice is preserved. + +AC_DEFUN([gl_FUNC_NONREENTRANT_EUIDACCESS], +[ + AC_REQUIRE([gl_FUNC_EUIDACCESS]) + AC_CHECK_DECLS([setregid]) + AC_DEFINE([PREFER_NONREENTRANT_EUIDACCESS], [1], + [Define this if you prefer euidaccess to return the correct result + even if this would make it nonreentrant. Define this only if your + entire application is safe even if the uid or gid might temporarily + change. If your application uses signal handlers or threads it + is probably not safe.]) +]) + +AC_DEFUN([gl_FUNC_EUIDACCESS], +[ + AC_REQUIRE([gl_UNISTD_H_DEFAULTS]) + + dnl Persuade glibc <unistd.h> to declare euidaccess(). + AC_REQUIRE([AC_USE_SYSTEM_EXTENSIONS]) + + AC_CHECK_FUNCS([euidaccess]) + if test $ac_cv_func_euidaccess = no; then + HAVE_EUIDACCESS=0 + fi +]) + +# Prerequisites of lib/euidaccess.c. +AC_DEFUN([gl_PREREQ_EUIDACCESS], [ + dnl Prefer POSIX faccessat over non-standard euidaccess. + AC_CHECK_FUNCS_ONCE([faccessat]) + dnl Try various other non-standard fallbacks. + AC_CHECK_HEADERS([libgen.h]) + AC_FUNC_GETGROUPS + + # Solaris 9 and 10 need -lgen to get the eaccess function. + # Save and restore LIBS so -lgen isn't added to it. Otherwise, *all* + # programs in the package would end up linked with that potentially-shared + # library, inducing unnecessary run-time overhead. + LIB_EACCESS= + AC_SUBST([LIB_EACCESS]) + gl_saved_libs=$LIBS + AC_SEARCH_LIBS([eaccess], [gen], + [test "$ac_cv_search_eaccess" = "none required" || + LIB_EACCESS=$ac_cv_search_eaccess]) + AC_CHECK_FUNCS([eaccess]) + LIBS=$gl_saved_libs +]) === added file 'm4/faccessat.m4' --- m4/faccessat.m4 1970-01-01 00:00:00 +0000 +++ m4/faccessat.m4 2012-10-15 06:05:46 +0000 @@ -0,0 +1,28 @@ +# serial 6 +# See if we need to provide faccessat replacement. + +dnl Copyright (C) 2009-2012 Free Software Foundation, Inc. +dnl This file is free software; the Free Software Foundation +dnl gives unlimited permission to copy and/or distribute it, +dnl with or without modifications, as long as this notice is preserved. + +# Written by Eric Blake. + +AC_DEFUN([gl_FUNC_FACCESSAT], +[ + AC_REQUIRE([gl_UNISTD_H_DEFAULTS]) + + dnl Persuade glibc <unistd.h> to declare faccessat(). + AC_REQUIRE([gl_USE_SYSTEM_EXTENSIONS]) + + AC_CHECK_FUNCS_ONCE([faccessat]) + if test $ac_cv_func_faccessat = no; then + HAVE_FACCESSAT=0 + fi +]) + +# Prerequisites of lib/faccessat.m4. +AC_DEFUN([gl_PREREQ_FACCESSAT], +[ + AC_CHECK_FUNCS([access]) +]) === added file 'm4/fcntl_h.m4' --- m4/fcntl_h.m4 1970-01-01 00:00:00 +0000 +++ m4/fcntl_h.m4 2012-10-15 06:05:46 +0000 @@ -0,0 +1,50 @@ +# serial 15 +# Configure fcntl.h. +dnl Copyright (C) 2006-2007, 2009-2012 Free Software Foundation, Inc. +dnl This file is free software; the Free Software Foundation +dnl gives unlimited permission to copy and/or distribute it, +dnl with or without modifications, as long as this notice is preserved. + +dnl Written by Paul Eggert. + +AC_DEFUN([gl_FCNTL_H], +[ + AC_REQUIRE([gl_FCNTL_H_DEFAULTS]) + AC_REQUIRE([gl_FCNTL_O_FLAGS]) + gl_NEXT_HEADERS([fcntl.h]) + + dnl Ensure the type pid_t gets defined. + AC_REQUIRE([AC_TYPE_PID_T]) + + dnl Ensure the type mode_t gets defined. + AC_REQUIRE([AC_TYPE_MODE_T]) + + dnl Check for declarations of anything we want to poison if the + dnl corresponding gnulib module is not in use, if it is not common + dnl enough to be declared everywhere. + gl_WARN_ON_USE_PREPARE([[#include <fcntl.h> + ]], [fcntl openat]) +]) + +AC_DEFUN([gl_FCNTL_MODULE_INDICATOR], +[ + dnl Use AC_REQUIRE here, so that the default settings are expanded once only. + AC_REQUIRE([gl_FCNTL_H_DEFAULTS]) + gl_MODULE_INDICATOR_SET_VARIABLE([$1]) + dnl Define it also as a C macro, for the benefit of the unit tests. + gl_MODULE_INDICATOR_FOR_TESTS([$1]) +]) + +AC_DEFUN([gl_FCNTL_H_DEFAULTS], +[ + GNULIB_FCNTL=0; AC_SUBST([GNULIB_FCNTL]) + GNULIB_NONBLOCKING=0; AC_SUBST([GNULIB_NONBLOCKING]) + GNULIB_OPEN=0; AC_SUBST([GNULIB_OPEN]) + GNULIB_OPENAT=0; AC_SUBST([GNULIB_OPENAT]) + dnl Assume proper GNU behavior unless another module says otherwise. + HAVE_FCNTL=1; AC_SUBST([HAVE_FCNTL]) + HAVE_OPENAT=1; AC_SUBST([HAVE_OPENAT]) + REPLACE_FCNTL=0; AC_SUBST([REPLACE_FCNTL]) + REPLACE_OPEN=0; AC_SUBST([REPLACE_OPEN]) + REPLACE_OPENAT=0; AC_SUBST([REPLACE_OPENAT]) +]) === added file 'm4/getgroups.m4' --- m4/getgroups.m4 1970-01-01 00:00:00 +0000 +++ m4/getgroups.m4 2012-10-12 23:28:31 +0000 @@ -0,0 +1,107 @@ +# serial 18 + +dnl From Jim Meyering. +dnl A wrapper around AC_FUNC_GETGROUPS. + +# Copyright (C) 1996-1997, 1999-2004, 2008-2012 Free Software Foundation, Inc. +# +# This file is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +m4_version_prereq([2.70], [] ,[ + +# This is taken from the following Autoconf patch: +# http://git.savannah.gnu.org/gitweb/?p=autoconf.git;a=commitdiff;h=7fbb553727ed7e0e689a17594b58559ecf3ea6e9 +AC_DEFUN([AC_FUNC_GETGROUPS], +[ + AC_REQUIRE([AC_TYPE_GETGROUPS])dnl + AC_REQUIRE([AC_TYPE_SIZE_T])dnl + AC_REQUIRE([AC_CANONICAL_HOST])dnl for cross-compiles + AC_CHECK_FUNC([getgroups]) + + # If we don't yet have getgroups, see if it's in -lbsd. + # This is reported to be necessary on an ITOS 3000WS running SEIUX 3.1. + ac_save_LIBS=$LIBS + if test $ac_cv_func_getgroups = no; then + AC_CHECK_LIB(bsd, getgroups, [GETGROUPS_LIB=-lbsd]) + fi + + # Run the program to test the functionality of the system-supplied + # getgroups function only if there is such a function. + if test $ac_cv_func_getgroups = yes; then + AC_CACHE_CHECK([for working getgroups], [ac_cv_func_getgroups_works], + [AC_RUN_IFELSE( + [AC_LANG_PROGRAM( + [AC_INCLUDES_DEFAULT], + [[/* On Ultrix 4.3, getgroups (0, 0) always fails. */ + return getgroups (0, 0) == -1;]]) + ], + [ac_cv_func_getgroups_works=yes], + [ac_cv_func_getgroups_works=no], + [case "$host_os" in # (( + # Guess yes on glibc systems. + *-gnu*) ac_cv_func_getgroups_works="guessing yes" ;; + # If we don't know, assume the worst. + *) ac_cv_func_getgroups_works="guessing no" ;; + esac + ]) + ]) + else + ac_cv_func_getgroups_works=no + fi + case "$ac_cv_func_getgroups_works" in + *yes) + AC_DEFINE([HAVE_GETGROUPS], [1], + [Define to 1 if your system has a working `getgroups' function.]) + ;; + esac + LIBS=$ac_save_LIBS +])# AC_FUNC_GETGROUPS + +]) + +AC_DEFUN([gl_FUNC_GETGROUPS], +[ + AC_REQUIRE([AC_TYPE_GETGROUPS]) + AC_REQUIRE([gl_UNISTD_H_DEFAULTS]) + AC_REQUIRE([AC_CANONICAL_HOST]) dnl for cross-compiles + + AC_FUNC_GETGROUPS + if test $ac_cv_func_getgroups != yes; then + HAVE_GETGROUPS=0 + else + if test "$ac_cv_type_getgroups" != gid_t \ + || { case "$ac_cv_func_getgroups_works" in + *yes) false;; + *) true;; + esac + }; then + REPLACE_GETGROUPS=1 + AC_DEFINE([GETGROUPS_ZERO_BUG], [1], [Define this to 1 if + getgroups(0,NULL) does not return the number of groups.]) + else + dnl Detect FreeBSD bug; POSIX requires getgroups(-1,ptr) to fail. + AC_CACHE_CHECK([whether getgroups handles negative values], + [gl_cv_func_getgroups_works], + [AC_RUN_IFELSE([AC_LANG_PROGRAM([AC_INCLUDES_DEFAULT], + [[int size = getgroups (0, 0); + gid_t *list = malloc (size * sizeof *list); + return getgroups (-1, list) != -1;]])], + [gl_cv_func_getgroups_works=yes], + [gl_cv_func_getgroups_works=no], + [case "$host_os" in + # Guess yes on glibc systems. + *-gnu*) gl_cv_func_getgroups_works="guessing yes" ;; + # If we don't know, assume the worst. + *) gl_cv_func_getgroups_works="guessing no" ;; + esac + ])]) + case "$gl_cv_func_getgroups_works" in + *yes) ;; + *) REPLACE_GETGROUPS=1 ;; + esac + fi + fi + test -n "$GETGROUPS_LIB" && LIBS="$GETGROUPS_LIB $LIBS" +]) === modified file 'm4/gnulib-comp.m4' --- m4/gnulib-comp.m4 2012-10-19 19:25:18 +0000 +++ m4/gnulib-comp.m4 2012-10-20 01:13:35 +0000 @@ -53,17 +53,22 @@ # Code from module dtotimespec: # Code from module dup2: # Code from module environ: + # Code from module euidaccess: # Code from module execinfo: # Code from module extensions: AC_REQUIRE([gl_USE_SYSTEM_EXTENSIONS]) # Code from module extern-inline: + # Code from module faccessat: + # Code from module fcntl-h: # Code from module filemode: + # Code from module getgroups: # Code from module getloadavg: # Code from module getopt-gnu: # Code from module getopt-posix: # Code from module gettext-h: # Code from module gettime: # Code from module gettimeofday: + # Code from module group-member: # Code from module ignore-value: # Code from module include_next: # Code from module intprops: @@ -79,6 +84,7 @@ # Code from module pselect: # Code from module pthread_sigmask: # Code from module readlink: + # Code from module root-uid: # Code from module signal-h: # Code from module snippet/_Noreturn: # Code from module snippet/arg-nonnull: @@ -120,6 +126,7 @@ # Code from module utimens: # Code from module verify: # Code from module warnings: + # Code from module xalloc-oversized: ]) # This macro should be invoked from ./configure.ac, in the section @@ -156,6 +163,14 @@ gl_UNISTD_MODULE_INDICATOR([environ]) gl_EXECINFO_H AC_REQUIRE([gl_EXTERN_INLINE]) + gl_FUNC_FACCESSAT + if test $HAVE_FACCESSAT = 0; then + AC_LIBOBJ([faccessat]) + gl_PREREQ_FACCESSAT + fi + gl_MODULE_INDICATOR([faccessat]) + gl_UNISTD_MODULE_INDICATOR([faccessat]) + gl_FCNTL_H gl_FILEMODE gl_GETLOADAVG if test $HAVE_GETLOADAVG = 0; then @@ -269,18 +284,53 @@ gl_UNISTD_H gl_UTIMENS gl_gnulib_enabled_dosname=false + gl_gnulib_enabled_euidaccess=false + gl_gnulib_enabled_getgroups=false gl_gnulib_enabled_be453cec5eecf5731a274f2de7f2db36=false + gl_gnulib_enabled_a9786850e999ae65a836a6041e8e5ed1=false gl_gnulib_enabled_pathmax=false + gl_gnulib_enabled_6099e9737f757db36c47fa9d9f02e88c=false gl_gnulib_enabled_stat=false gl_gnulib_enabled_strtoll=false gl_gnulib_enabled_strtoull=false gl_gnulib_enabled_verify=false + gl_gnulib_enabled_682e609604ccaac6be382e4ee3a4eaec=false func_gl_gnulib_m4code_dosname () { if ! $gl_gnulib_enabled_dosname; then gl_gnulib_enabled_dosname=true fi } + func_gl_gnulib_m4code_euidaccess () + { + if ! $gl_gnulib_enabled_euidaccess; then + gl_FUNC_EUIDACCESS + if test $HAVE_EUIDACCESS = 0; then + AC_LIBOBJ([euidaccess]) + gl_PREREQ_EUIDACCESS + fi + gl_UNISTD_MODULE_INDICATOR([euidaccess]) + gl_gnulib_enabled_euidaccess=true + if test $HAVE_EUIDACCESS = 0; then + func_gl_gnulib_m4code_a9786850e999ae65a836a6041e8e5ed1 + fi + func_gl_gnulib_m4code_6099e9737f757db36c47fa9d9f02e88c + if test $HAVE_EUIDACCESS = 0; then + func_gl_gnulib_m4code_stat + fi + fi + } + func_gl_gnulib_m4code_getgroups () + { + if ! $gl_gnulib_enabled_getgroups; then + gl_FUNC_GETGROUPS + if test $HAVE_GETGROUPS = 0 || test $REPLACE_GETGROUPS = 1; then + AC_LIBOBJ([getgroups]) + fi + gl_UNISTD_MODULE_INDICATOR([getgroups]) + gl_gnulib_enabled_getgroups=true + fi + } func_gl_gnulib_m4code_be453cec5eecf5731a274f2de7f2db36 () { if ! $gl_gnulib_enabled_be453cec5eecf5731a274f2de7f2db36; then @@ -289,6 +339,24 @@ gl_gnulib_enabled_be453cec5eecf5731a274f2de7f2db36=true fi } + func_gl_gnulib_m4code_a9786850e999ae65a836a6041e8e5ed1 () + { + if ! $gl_gnulib_enabled_a9786850e999ae65a836a6041e8e5ed1; then + gl_FUNC_GROUP_MEMBER + if test $HAVE_GROUP_MEMBER = 0; then + AC_LIBOBJ([group-member]) + gl_PREREQ_GROUP_MEMBER + fi + gl_UNISTD_MODULE_INDICATOR([group-member]) + gl_gnulib_enabled_a9786850e999ae65a836a6041e8e5ed1=true + if test $HAVE_GROUP_MEMBER = 0; then + func_gl_gnulib_m4code_getgroups + fi + if test $HAVE_GROUP_MEMBER = 0; then + func_gl_gnulib_m4code_682e609604ccaac6be382e4ee3a4eaec + fi + fi + } func_gl_gnulib_m4code_pathmax () { if ! $gl_gnulib_enabled_pathmax; then @@ -296,6 +364,12 @@ gl_gnulib_enabled_pathmax=true fi } + func_gl_gnulib_m4code_6099e9737f757db36c47fa9d9f02e88c () + { + if ! $gl_gnulib_enabled_6099e9737f757db36c47fa9d9f02e88c; then + gl_gnulib_enabled_6099e9737f757db36c47fa9d9f02e88c=true + fi + } func_gl_gnulib_m4code_stat () { if ! $gl_gnulib_enabled_stat; then @@ -347,6 +421,18 @@ gl_gnulib_enabled_verify=true fi } + func_gl_gnulib_m4code_682e609604ccaac6be382e4ee3a4eaec () + { + if ! $gl_gnulib_enabled_682e609604ccaac6be382e4ee3a4eaec; then + gl_gnulib_enabled_682e609604ccaac6be382e4ee3a4eaec=true + fi + } + if test $HAVE_FACCESSAT = 0; then + func_gl_gnulib_m4code_dosname + fi + if test $HAVE_FACCESSAT = 0; then + func_gl_gnulib_m4code_euidaccess + fi if test $REPLACE_GETOPT = 1; then func_gl_gnulib_m4code_be453cec5eecf5731a274f2de7f2db36 fi @@ -373,12 +459,17 @@ fi m4_pattern_allow([^gl_GNULIB_ENABLED_]) AM_CONDITIONAL([gl_GNULIB_ENABLED_dosname], [$gl_gnulib_enabled_dosname]) + AM_CONDITIONAL([gl_GNULIB_ENABLED_euidaccess], [$gl_gnulib_enabled_euidaccess]) + AM_CONDITIONAL([gl_GNULIB_ENABLED_getgroups], [$gl_gnulib_enabled_getgroups]) AM_CONDITIONAL([gl_GNULIB_ENABLED_be453cec5eecf5731a274f2de7f2db36], [$gl_gnulib_enabled_be453cec5eecf5731a274f2de7f2db36]) + AM_CONDITIONAL([gl_GNULIB_ENABLED_a9786850e999ae65a836a6041e8e5ed1], [$gl_gnulib_enabled_a9786850e999ae65a836a6041e8e5ed1]) AM_CONDITIONAL([gl_GNULIB_ENABLED_pathmax], [$gl_gnulib_enabled_pathmax]) + AM_CONDITIONAL([gl_GNULIB_ENABLED_6099e9737f757db36c47fa9d9f02e88c], [$gl_gnulib_enabled_6099e9737f757db36c47fa9d9f02e88c]) AM_CONDITIONAL([gl_GNULIB_ENABLED_stat], [$gl_gnulib_enabled_stat]) AM_CONDITIONAL([gl_GNULIB_ENABLED_strtoll], [$gl_gnulib_enabled_strtoll]) AM_CONDITIONAL([gl_GNULIB_ENABLED_strtoull], [$gl_gnulib_enabled_strtoull]) AM_CONDITIONAL([gl_GNULIB_ENABLED_verify], [$gl_gnulib_enabled_verify]) + AM_CONDITIONAL([gl_GNULIB_ENABLED_682e609604ccaac6be382e4ee3a4eaec], [$gl_gnulib_enabled_682e609604ccaac6be382e4ee3a4eaec]) # End of code from modules m4_ifval(gl_LIBSOURCES_LIST, [ m4_syscmd([test ! -d ]m4_defn([gl_LIBSOURCES_DIR])[ || @@ -527,6 +618,7 @@ lib/alloca.in.h lib/allocator.c lib/allocator.h + lib/at-func.c lib/c-ctype.c lib/c-ctype.h lib/c-strcase.h @@ -538,12 +630,16 @@ lib/dtoastr.c lib/dtotimespec.c lib/dup2.c + lib/euidaccess.c lib/execinfo.c lib/execinfo.in.h + lib/faccessat.c + lib/fcntl.in.h lib/filemode.c lib/filemode.h lib/ftoastr.c lib/ftoastr.h + lib/getgroups.c lib/getloadavg.c lib/getopt.c lib/getopt.in.h @@ -552,6 +648,7 @@ lib/gettext.h lib/gettime.c lib/gettimeofday.c + lib/group-member.c lib/ignore-value.h lib/intprops.h lib/inttypes.in.h @@ -564,6 +661,7 @@ lib/pselect.c lib/pthread_sigmask.c lib/readlink.c + lib/root-uid.h lib/sha1.c lib/sha1.h lib/sha256.c @@ -605,21 +703,28 @@ lib/utimens.c lib/utimens.h lib/verify.h + lib/xalloc-oversized.h m4/00gnulib.m4 m4/alloca.m4 m4/c-strtod.m4 m4/clock_time.m4 m4/dup2.m4 m4/environ.m4 + m4/euidaccess.m4 m4/execinfo.m4 m4/extensions.m4 m4/extern-inline.m4 + m4/faccessat.m4 + m4/fcntl-o.m4 + m4/fcntl_h.m4 m4/filemode.m4 + m4/getgroups.m4 m4/getloadavg.m4 m4/getopt.m4 m4/gettime.m4 m4/gettimeofday.m4 m4/gnulib-common.m4 + m4/group-member.m4 m4/include_next.m4 m4/inttypes.m4 m4/largefile.m4 === added file 'm4/group-member.m4' --- m4/group-member.m4 1970-01-01 00:00:00 +0000 +++ m4/group-member.m4 2012-10-12 23:28:31 +0000 @@ -0,0 +1,29 @@ +# serial 14 + +# Copyright (C) 1999-2001, 2003-2007, 2009-2012 Free Software Foundation, Inc. + +# This file is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +dnl Written by Jim Meyering + +AC_DEFUN([gl_FUNC_GROUP_MEMBER], +[ + AC_REQUIRE([gl_UNISTD_H_DEFAULTS]) + + dnl Persuade glibc <unistd.h> to declare group_member(). + AC_REQUIRE([AC_USE_SYSTEM_EXTENSIONS]) + + dnl Do this replacement check manually because I want the hyphen + dnl (not the underscore) in the filename. + AC_CHECK_FUNC([group_member], , [ + HAVE_GROUP_MEMBER=0 + ]) +]) + +# Prerequisites of lib/group-member.c. +AC_DEFUN([gl_PREREQ_GROUP_MEMBER], +[ + AC_REQUIRE([AC_FUNC_GETGROUPS]) +]) === modified file 'nt/ChangeLog' --- nt/ChangeLog 2012-10-19 19:25:18 +0000 +++ nt/ChangeLog 2012-10-22 02:43:16 +0000 @@ -1,3 +1,10 @@ +2012-10-22 Paul Eggert <eggert@cs.ucla.edu> + + Use faccessat, not access, when checking file permissions (Bug#12632). + * inc/ms-w32.h (AT_FDCWD, AT_EACCESS): New symbols. + (access): Remove. + (faccessat): New macro. + 2012-10-17 Eli Zaretskii <eliz@gnu.org> * inc/pwd.h (getuid, geteuid): Add prototypes. === modified file 'nt/inc/ms-w32.h' --- nt/inc/ms-w32.h 2012-10-19 19:25:18 +0000 +++ nt/inc/ms-w32.h 2012-10-20 01:13:35 +0000 @@ -124,6 +124,10 @@ #define MAXPATHLEN _MAX_PATH #endif +/* Use values compatible with gnulib, as there's no reason to differ. */ +#define AT_FDCWD (-3041965) +#define AT_EACCESS 4 + #ifdef HAVE_NTGUI #define HAVE_WINDOW_SYSTEM 1 #define HAVE_MENUS 1 @@ -145,8 +149,6 @@ #endif /* Calls that are emulated or shadowed. */ -#undef access -#define access sys_access #undef chdir #define chdir sys_chdir #undef chmod @@ -161,6 +163,7 @@ #define dup sys_dup #undef dup2 #define dup2 sys_dup2 +#define faccessat sys_faccessat #define fopen sys_fopen #define link sys_link #define localtime sys_localtime === modified file 'src/ChangeLog' --- src/ChangeLog 2012-10-21 18:48:11 +0000 +++ src/ChangeLog 2012-10-22 06:00:54 +0000 @@ -1,3 +1,68 @@ +2012-10-22 Paul Eggert <eggert@cs.ucla.edu> + + Use faccessat, not access, when checking file permissions (Bug#12632). + This fixes a bug that has been present in Emacs since its creation. + It was reported by Chris Torek in 1983 even before GNU Emacs existed, + which must set some sort of record. (Torek's bug report was against + a predecessor of GNU Emacs, but GNU Emacs happened to have the + same common flaw.) See Torek's Usenet posting + "setuid/setgid programs & Emacs" Article-I.D.: sri-arpa.858 + Posted: Fri Apr 8 14:18:56 1983. + (LIBES): Use it. + * callproc.c (init_callproc): + * charset.c (init_charset): + * fileio.c (check_existing, check_executable, check_writable) + (Ffile_readable_p): + * lread.c (openp, load_path_check): + * process.c (allocate_pty): + * xrdb.c (file_p): + Use effective UID when checking permissions, not real UID. + * callproc.c (init_callproc): + * charset.c (init_charset): + * lread.c (load_path_check, init_lread): + Test whether directories are accessible, not merely whether they exist. + * conf_post.h (GNULIB_SUPPORT_ONLY_AT_FDCWD): New macro. + * fileio.c (check_existing, check_executable, check_writable) + (Ffile_readable_p): + Use symbolic names instead of integers for the flags, as they're + portable now. + (check_writable): Set errno on failure. + (Ffile_readable_p): Use faccessat, not stat + open + close. + (Ffile_writable_p): No need to call check_existing + check_writable. + Just call check_writable and then look at errno. This saves a syscall. + dir should never be nil; replace an unnecessary runtime check + with an eassert. When checking the parent directory of a nonexistent + file, check that the directory is searchable as well as writable, as + we can't create files in unsearchable directories. + (file_directory_p): New function, which uses 'stat' on most platforms + but faccessat with D_OK (for efficiency) if WINDOWSNT. + (Ffile_directory_p, Fset_file_times): Use it. + (file_accessible_directory_p): New function, which uses a single + syscall for efficiency. + (Ffile_accessible_directory_p): Use it. + * xrdb.c (file_p): Use file_directory_p. + * lisp.h (file_directory_p, file_accessible_directory_p): New decls. + * lread.c (openp): When opening a file, use fstat rather than + stat, as that avoids a permissions race. When not opening a file, + use file_directory_p rather than stat. + (dir_warning): First arg is now a usage string, not a format. + Use errno. All uses changed. + * nsterm.m (ns_term_init): Remove unnecessary call to file-readable + that merely introduced a race. + * process.c, sysdep.c, term.c: All uses of '#ifdef O_NONBLOCK' + changed to '#if O_NONBLOCK', to accommodate gnulib O_* style, + and similarly for the other O_* flags. + * w32.c (sys_faccessat): Rename from sys_access and switch to + faccessat's API. All uses changed. + * xrdb.c: Do not include <sys/stat.h>; no longer needed. + (magic_db): Rename from magic_file_p. + (magic_db, search_magic_path): Return an XrmDatabase rather than a + char *, so that we don't have to test for file existence + separately from opening the file for reading. This removes a race + fixes a permission-checking problem, and simplifies the code. + All uses changed. + (file_p): Remove; no longer needed. + 2012-10-21 Jan Djärv <jan.h.d@swipnet.se> * nsfont.m (nsfont_open, ns_glyph_metrics): Force integer advancement === modified file 'src/Makefile.in' --- src/Makefile.in 2012-10-19 19:25:18 +0000 +++ src/Makefile.in 2012-10-20 01:13:35 +0000 @@ -150,6 +150,7 @@ M17N_FLT_LIBS = @M17N_FLT_LIBS@ LIB_CLOCK_GETTIME=@LIB_CLOCK_GETTIME@ +LIB_EACCESS=@LIB_EACCESS@ LIB_TIMER_TIME=@LIB_TIMER_TIME@ DBUS_CFLAGS = @DBUS_CFLAGS@ @@ -392,7 +393,7 @@ LIBES = $(LIBS) $(W32_LIBS) $(LIBX_BASE) $(LIBIMAGE) \ $(LIBX_OTHER) $(LIBSOUND) \ $(RSVG_LIBS) $(IMAGEMAGICK_LIBS) $(LIB_CLOCK_GETTIME) \ - $(LIB_TIMER_TIME) $(DBUS_LIBS) \ + $(LIB_EACCESS) $(LIB_TIMER_TIME) $(DBUS_LIBS) \ $(LIB_EXECINFO) \ $(LIBXML2_LIBS) $(LIBGPM) $(LIBRESOLV) $(LIBS_SYSTEM) \ $(LIBS_TERMCAP) $(GETLOADAVG_LIBS) $(SETTINGS_LIBS) $(LIBSELINUX_LIBS) \ === modified file 'src/callproc.c' --- src/callproc.c 2012-10-19 19:25:18 +0000 +++ src/callproc.c 2012-10-22 02:36:17 +0000 @@ -1597,15 +1597,13 @@ #endif { tempdir = Fdirectory_file_name (Vexec_directory); - if (access (SSDATA (tempdir), 0) < 0) - dir_warning ("Warning: arch-dependent data dir (%s) does not exist.\n", - Vexec_directory); + if (! file_accessible_directory_p (SSDATA (tempdir))) + dir_warning ("arch-dependent data dir", Vexec_directory); } tempdir = Fdirectory_file_name (Vdata_directory); - if (access (SSDATA (tempdir), 0) < 0) - dir_warning ("Warning: arch-independent data dir (%s) does not exist.\n", - Vdata_directory); + if (! file_accessible_directory_p (SSDATA (tempdir))) + dir_warning ("arch-independent data dir", Vdata_directory); sh = (char *) getenv ("SHELL"); Vshell_file_name = build_string (sh ? sh : "/bin/sh"); @@ -1614,7 +1612,7 @@ Vshared_game_score_directory = Qnil; #else Vshared_game_score_directory = build_string (PATH_GAME); - if (NILP (Ffile_directory_p (Vshared_game_score_directory))) + if (NILP (Ffile_accessible_directory_p (Vshared_game_score_directory))) Vshared_game_score_directory = Qnil; #endif } === modified file 'src/charset.c' --- src/charset.c 2012-10-19 19:25:18 +0000 +++ src/charset.c 2012-10-22 04:53:32 +0000 @@ -2293,7 +2293,7 @@ { Lisp_Object tempdir; tempdir = Fexpand_file_name (build_string ("charsets"), Vdata_directory); - if (access (SSDATA (tempdir), 0) < 0) + if (! file_accessible_directory_p (SSDATA (tempdir))) { /* This used to be non-fatal (dir_warning), but it should not happen, and if it does sooner or later it will cause some === modified file 'src/conf_post.h' --- src/conf_post.h 2012-10-19 19:25:18 +0000 +++ src/conf_post.h 2012-10-20 01:13:35 +0000 @@ -169,6 +169,10 @@ #endif #endif +/* Tell gnulib to omit support for openat-related functions having a + first argument other than AT_FDCWD. */ +#define GNULIB_SUPPORT_ONLY_AT_FDCWD + #include <string.h> #include <stdlib.h> === modified file 'src/fileio.c' --- src/fileio.c 2012-10-19 19:25:18 +0000 +++ src/fileio.c 2012-10-22 02:36:17 +0000 @@ -2425,15 +2425,7 @@ bool check_existing (const char *filename) { -#ifdef DOS_NT - /* The full emulation of Posix 'stat' is too expensive on - DOS/Windows, when all we want to know is whether the file exists. - So we use 'access' instead, which is much more lightweight. */ - return (access (filename, F_OK) >= 0); -#else - struct stat st; - return (stat (filename, &st) >= 0); -#endif + return faccessat (AT_FDCWD, filename, F_OK, AT_EACCESS) == 0; } /* Return true if file FILENAME exists and can be executed. */ @@ -2441,56 +2433,40 @@ static bool check_executable (char *filename) { -#ifdef DOS_NT - struct stat st; - if (stat (filename, &st) < 0) - return 0; - return ((st.st_mode & S_IEXEC) != 0); -#else /* not DOS_NT */ -#ifdef HAVE_EUIDACCESS - return (euidaccess (filename, 1) >= 0); -#else - /* Access isn't quite right because it uses the real uid - and we really want to test with the effective uid. - But Unix doesn't give us a right way to do it. */ - return (access (filename, 1) >= 0); -#endif -#endif /* not DOS_NT */ + return faccessat (AT_FDCWD, filename, X_OK, AT_EACCESS) == 0; } -/* Return true if file FILENAME exists and can be written. */ +/* Return true if file FILENAME exists and can be accessed + according to AMODE, which should include W_OK. + On failure, return false and set errno. */ static bool -check_writable (const char *filename) +check_writable (const char *filename, int amode) { #ifdef MSDOS + /* FIXME: an faccessat implementation should be added to the + DOS/Windows ports and this #ifdef branch should be removed. */ struct stat st; if (stat (filename, &st) < 0) return 0; + errno = EPERM; return (st.st_mode & S_IWRITE || S_ISDIR (st.st_mode)); #else /* not MSDOS */ -#ifdef HAVE_EUIDACCESS - bool res = (euidaccess (filename, 2) >= 0); + bool res = faccessat (AT_FDCWD, filename, amode, AT_EACCESS) == 0; #ifdef CYGWIN - /* euidaccess may have returned failure because Cygwin couldn't + /* faccessat may have returned failure because Cygwin couldn't determine the file's UID or GID; if so, we return success. */ if (!res) { + int faccessat_errno = errno; struct stat st; if (stat (filename, &st) < 0) return 0; res = (st.st_uid == -1 || st.st_gid == -1); + errno = faccessat_errno; } #endif /* CYGWIN */ return res; -#else /* not HAVE_EUIDACCESS */ - /* Access isn't quite right because it uses the real uid - and we really want to test with the effective uid. - But Unix doesn't give us a right way to do it. - Opening with O_WRONLY could work for an ordinary file, - but would lose for directories. */ - return (access (filename, 2) >= 0); -#endif /* not HAVE_EUIDACCESS */ #endif /* not MSDOS */ } @@ -2547,9 +2523,6 @@ { Lisp_Object absname; Lisp_Object handler; - int desc; - int flags; - struct stat statbuf; CHECK_STRING (filename); absname = Fexpand_file_name (filename, Qnil); @@ -2561,35 +2534,10 @@ return call2 (handler, Qfile_readable_p, absname); absname = ENCODE_FILE (absname); - -#if defined (DOS_NT) || defined (macintosh) - /* Under MS-DOS, Windows, and Macintosh, open does not work for - directories. */ - if (access (SDATA (absname), 0) == 0) - return Qt; - return Qnil; -#else /* not DOS_NT and not macintosh */ - flags = O_RDONLY; -#ifdef O_NONBLOCK - /* Opening a fifo without O_NONBLOCK can wait. - We don't want to wait. But we don't want to mess wth O_NONBLOCK - except in the case of a fifo, on a system which handles it. */ - desc = stat (SSDATA (absname), &statbuf); - if (desc < 0) - return Qnil; - if (S_ISFIFO (statbuf.st_mode)) - flags |= O_NONBLOCK; -#endif - desc = emacs_open (SSDATA (absname), flags, 0); - if (desc < 0) - return Qnil; - emacs_close (desc); - return Qt; -#endif /* not DOS_NT and not macintosh */ + return (faccessat (AT_FDCWD, SSDATA (absname), R_OK, AT_EACCESS) == 0 + ? Qt : Qnil); } -/* Having this before file-symlink-p mysteriously caused it to be forgotten - on the RT/PC. */ DEFUN ("file-writable-p", Ffile_writable_p, Sfile_writable_p, 1, 1, 0, doc: /* Return t if file FILENAME can be written or created by you. */) (Lisp_Object filename) @@ -2607,14 +2555,15 @@ return call2 (handler, Qfile_writable_p, absname); encoded = ENCODE_FILE (absname); - if (check_existing (SSDATA (encoded))) - return (check_writable (SSDATA (encoded)) - ? Qt : Qnil); + if (check_writable (SSDATA (encoded), W_OK)) + return Qt; + if (errno != ENOENT) + return Qnil; dir = Ffile_name_directory (absname); + eassert (!NILP (dir)); #ifdef MSDOS - if (!NILP (dir)) - dir = Fdirectory_file_name (dir); + dir = Fdirectory_file_name (dir); #endif /* MSDOS */ dir = ENCODE_FILE (dir); @@ -2622,10 +2571,9 @@ /* The read-only attribute of the parent directory doesn't affect whether a file or directory can be created within it. Some day we should check ACLs though, which do affect this. */ - return (access (SDATA (dir), D_OK) < 0) ? Qnil : Qt; + return file_directory_p (SDATA (dir)) ? Qt : Qnil; #else - return (check_writable (!NILP (dir) ? SSDATA (dir) : "") - ? Qt : Qnil); + return check_writable (SSDATA (dir), W_OK | X_OK) ? Qt : Qnil; #endif } \f @@ -2703,8 +2651,7 @@ See `file-symlink-p' to distinguish symlinks. */) (Lisp_Object filename) { - register Lisp_Object absname; - struct stat st; + Lisp_Object absname; Lisp_Object handler; absname = expand_and_dir_to_file (filename, BVAR (current_buffer, directory)); @@ -2717,9 +2664,20 @@ absname = ENCODE_FILE (absname); - if (stat (SSDATA (absname), &st) < 0) - return Qnil; - return S_ISDIR (st.st_mode) ? Qt : Qnil; + return file_directory_p (SSDATA (absname)) ? Qt : Qnil; +} + +/* Return true if FILE is a directory or a symlink to a directory. */ +bool +file_directory_p (char const *file) +{ +#ifdef WINDOWSNT + /* This is cheaper than 'stat'. */ + return faccessat (AT_FDCWD, file, D_OK, AT_EACCESS) == 0; +#else + struct stat st; + return stat (file, &st) == 0 && S_ISDIR (st.st_mode); +#endif } DEFUN ("file-accessible-directory-p", Ffile_accessible_directory_p, @@ -2733,21 +2691,49 @@ searchable directory. */) (Lisp_Object filename) { + Lisp_Object absname; Lisp_Object handler; - bool tem; - struct gcpro gcpro1; + + CHECK_STRING (filename); + absname = Fexpand_file_name (filename, Qnil); /* If the file name has special constructs in it, call the corresponding file handler. */ - handler = Ffind_file_name_handler (filename, Qfile_accessible_directory_p); + handler = Ffind_file_name_handler (absname, Qfile_accessible_directory_p); if (!NILP (handler)) - return call2 (handler, Qfile_accessible_directory_p, filename); - - GCPRO1 (filename); - tem = (NILP (Ffile_directory_p (filename)) - || NILP (Ffile_executable_p (filename))); - UNGCPRO; - return tem ? Qnil : Qt; + return call2 (handler, Qfile_accessible_directory_p, absname); + + absname = ENCODE_FILE (absname); + return file_accessible_directory_p (SSDATA (absname)) ? Qt : Qnil; +} + +/* If FILE is a searchable directory or a symlink to a + searchable directory, return true. Otherwise return + false and set errno to an error number. */ +bool +file_accessible_directory_p (char const *file) +{ + ptrdiff_t len = strlen (file); + bool ok; + int faccessat_errno; + USE_SAFE_ALLOCA; + + /* Normally a file F is an accessible directory if F/. is accessible. + But omit the "/." if F is empty, as "" is not "/."; and omit the + "/" if F ends in "/", as on some platforms "/" != "//". */ + if (len) + { + char *buf = SAFE_ALLOCA (len + 3); + memcpy (buf, file, len); + strcpy (buf + len, "/." + (file[len - 1] == '/')); + file = buf; + } + + ok = faccessat (AT_FDCWD, file, F_OK, AT_EACCESS) == 0; + faccessat_errno = errno; + SAFE_FREE (); + errno = faccessat_errno; + return ok; } DEFUN ("file-regular-p", Ffile_regular_p, Sfile_regular_p, 1, 1, 0, @@ -3044,10 +3030,8 @@ if (set_file_times (-1, SSDATA (encoded_absname), t, t)) { #ifdef MSDOS - struct stat st; - /* Setting times on a directory always fails. */ - if (stat (SSDATA (encoded_absname), &st) == 0 && S_ISDIR (st.st_mode)) + if (file_directory_p (SSDATA (encoded_absname))) return Qnil; #endif report_file_error ("Setting file times", Fcons (absname, Qnil)); === modified file 'src/lisp.h' --- src/lisp.h 2012-10-21 07:23:34 +0000 +++ src/lisp.h 2012-10-22 02:43:16 +0000 @@ -3227,6 +3227,8 @@ extern Lisp_Object restore_point_unwind (Lisp_Object); extern _Noreturn void report_file_error (const char *, Lisp_Object); extern void internal_delete_file (Lisp_Object); +extern bool file_directory_p (const char *); +extern bool file_accessible_directory_p (const char *); extern void syms_of_fileio (void); extern Lisp_Object make_temp_name (Lisp_Object, bool); extern Lisp_Object Qdelete_file; === modified file 'src/lread.c' --- src/lread.c 2012-10-20 12:50:49 +0000 +++ src/lread.c 2012-10-22 02:43:16 +0000 @@ -1403,7 +1403,7 @@ If SUFFIXES is non-nil, it should be a list of suffixes to append to file name when searching. If non-nil, PREDICATE is used instead of `file-readable-p'. -PREDICATE can also be an integer to pass to the access(2) function, +PREDICATE can also be an integer to pass to the faccessat(2) function, in which case file-name-handlers are ignored. This function will normally skip directories, so if you want it to find directories, make sure the PREDICATE function returns `dir-ok' for them. */) @@ -1441,7 +1441,6 @@ int openp (Lisp_Object path, Lisp_Object str, Lisp_Object suffixes, Lisp_Object *storeptr, Lisp_Object predicate) { - int fd; ptrdiff_t fn_size = 100; char buf[100]; char *fn = buf; @@ -1496,7 +1495,6 @@ { ptrdiff_t fnlen, lsuffix = SBYTES (XCAR (tail)); Lisp_Object handler; - bool exists; /* Concatenate path element/specified name with the suffix. If the directory starts with /:, remove that. */ @@ -1520,6 +1518,7 @@ handler = Ffind_file_name_handler (string, Qfile_exists_p); if ((!NILP (handler) || !NILP (predicate)) && !NATNUMP (predicate)) { + bool exists; if (NILP (predicate)) exists = !NILP (Ffile_readable_p (string)); else @@ -1541,37 +1540,40 @@ } else { -#ifndef WINDOWSNT - struct stat st; -#endif + int fd; const char *pfn; encoded_fn = ENCODE_FILE (string); pfn = SSDATA (encoded_fn); -#ifdef WINDOWSNT - exists = access (pfn, F_OK) == 0 && access (pfn, D_OK) < 0; -#else - exists = (stat (pfn, &st) == 0 && ! S_ISDIR (st.st_mode)); -#endif - if (exists) + + /* Check that we can access or open it. */ + if (NATNUMP (predicate)) + fd = (((XFASTINT (predicate) & ~INT_MAX) == 0 + && (faccessat (AT_FDCWD, pfn, XFASTINT (predicate), + AT_EACCESS) + == 0) + && ! file_directory_p (pfn)) + ? 1 : -1); + else { - /* Check that we can access or open it. */ - if (NATNUMP (predicate)) - fd = (((XFASTINT (predicate) & ~INT_MAX) == 0 - && access (pfn, XFASTINT (predicate)) == 0) - ? 1 : -1); - else - fd = emacs_open (pfn, O_RDONLY, 0); - - if (fd >= 0) + struct stat st; + fd = emacs_open (pfn, O_RDONLY, 0); + if (0 <= fd + && (fstat (fd, &st) != 0 || S_ISDIR (st.st_mode))) { - /* We succeeded; return this descriptor and filename. */ - if (storeptr) - *storeptr = string; - UNGCPRO; - return fd; + emacs_close (fd); + fd = -1; } } + + if (fd >= 0) + { + /* We succeeded; return this descriptor and filename. */ + if (storeptr) + *storeptr = string; + UNGCPRO; + return fd; + } } } if (absolute) @@ -4087,9 +4089,8 @@ if (STRINGP (dirfile)) { dirfile = Fdirectory_file_name (dirfile); - if (access (SSDATA (dirfile), 0) < 0) - dir_warning ("Warning: Lisp directory `%s' does not exist.\n", - XCAR (path_tail)); + if (! file_accessible_directory_p (SSDATA (dirfile))) + dir_warning ("Lisp directory", XCAR (path_tail)); } } } @@ -4201,11 +4202,11 @@ Lisp_Object tem, tem1; /* Add to the path the lisp subdir of the installation - dir, if it exists. Note: in out-of-tree builds, + dir, if it is accessible. Note: in out-of-tree builds, this directory is empty save for Makefile. */ tem = Fexpand_file_name (build_string ("lisp"), Vinstallation_directory); - tem1 = Ffile_exists_p (tem); + tem1 = Ffile_accessible_directory_p (tem); if (!NILP (tem1)) { if (NILP (Fmember (tem, Vload_path))) @@ -4222,10 +4223,10 @@ Lisp dirs instead. */ Vload_path = nconc2 (Vload_path, dump_path); - /* Add leim under the installation dir, if it exists. */ + /* Add leim under the installation dir, if it is accessible. */ tem = Fexpand_file_name (build_string ("leim"), Vinstallation_directory); - tem1 = Ffile_exists_p (tem); + tem1 = Ffile_accessible_directory_p (tem); if (!NILP (tem1)) { if (NILP (Fmember (tem, Vload_path))) @@ -4237,7 +4238,7 @@ { tem = Fexpand_file_name (build_string ("site-lisp"), Vinstallation_directory); - tem1 = Ffile_exists_p (tem); + tem1 = Ffile_accessible_directory_p (tem); if (!NILP (tem1)) { if (NILP (Fmember (tem, Vload_path))) @@ -4282,7 +4283,7 @@ { tem = Fexpand_file_name (build_string ("site-lisp"), Vsource_directory); - tem1 = Ffile_exists_p (tem); + tem1 = Ffile_accessible_directory_p (tem); if (!NILP (tem1)) { if (NILP (Fmember (tem, Vload_path))) @@ -4338,21 +4339,27 @@ Vloads_in_progress = Qnil; } -/* Print a warning, using format string FORMAT, that directory DIRNAME - does not exist. Print it on stderr and put it in *Messages*. */ +/* Print a warning that directory intended for use USE and with name + DIRNAME cannot be accessed. On entry, errno should correspond to + the access failure. Print the warning on stderr and put it in + *Messages*. */ void -dir_warning (const char *format, Lisp_Object dirname) +dir_warning (char const *use, Lisp_Object dirname) { - fprintf (stderr, format, SDATA (dirname)); + static char const format[] = "Warning: %s `%s': %s\n"; + char const *diagnostic = strerror (errno); + fprintf (stderr, format, use, SSDATA (dirname), diagnostic); /* Don't log the warning before we've initialized!! */ if (initialized) { USE_SAFE_ALLOCA; - char *buffer = SAFE_ALLOCA (SBYTES (dirname) - + strlen (format) - (sizeof "%s" - 1) + 1); - ptrdiff_t message_len = esprintf (buffer, format, SDATA (dirname)); + char *buffer = SAFE_ALLOCA (sizeof format - 3 * (sizeof "%s" - 1) + + strlen (use) + SBYTES (dirname) + + strlen (diagnostic)); + ptrdiff_t message_len = esprintf (buffer, format, use, SSDATA (dirname), + diagnostic); message_dolog (buffer, message_len, 0, STRING_MULTIBYTE (dirname)); SAFE_FREE (); } === modified file 'src/nsterm.m' --- src/nsterm.m 2012-10-18 18:54:37 +0000 +++ src/nsterm.m 2012-10-22 02:36:17 +0000 @@ -4099,8 +4099,6 @@ color_file = Fexpand_file_name (build_string ("rgb.txt"), Fsymbol_value (intern ("data-directory"))); - if (NILP (Ffile_readable_p (color_file))) - fatal ("Could not find %s.\n", SDATA (color_file)); color_map = Fx_load_color_file (color_file); if (NILP (color_map)) === modified file 'src/process.c' --- src/process.c 2012-10-19 19:25:18 +0000 +++ src/process.c 2012-10-20 01:13:35 +0000 @@ -204,7 +204,7 @@ #ifndef NON_BLOCKING_CONNECT #ifdef HAVE_SELECT #if defined (HAVE_GETPEERNAME) || defined (GNU_LINUX) -#if defined (O_NONBLOCK) || defined (O_NDELAY) +#if O_NONBLOCK || O_NDELAY #if defined (EWOULDBLOCK) || defined (EINPROGRESS) #define NON_BLOCKING_CONNECT #endif /* EWOULDBLOCK || EINPROGRESS */ @@ -651,7 +651,7 @@ PTY_OPEN; #else /* no PTY_OPEN */ { -# ifdef O_NONBLOCK +# if O_NONBLOCK fd = emacs_open (pty_name, O_RDWR | O_NONBLOCK, 0); # else fd = emacs_open (pty_name, O_RDWR | O_NDELAY, 0); @@ -668,7 +668,7 @@ #else sprintf (pty_name, "/dev/tty%c%x", c, i); #endif /* no PTY_TTY_NAME_SPRINTF */ - if (access (pty_name, 6) != 0) + if (faccessat (AT_FDCWD, pty_name, R_OK | W_OK, AT_EACCESS) != 0) { emacs_close (fd); # ifndef __sgi @@ -1621,7 +1621,7 @@ #if ! defined (USG) || defined (USG_SUBTTY_WORKS) /* On most USG systems it does not work to open the pty's tty here, then close it and reopen it in the child. */ -#ifdef O_NOCTTY +#if O_NOCTTY /* Don't let this terminal become our controlling terminal (in case we don't have one). */ forkout = forkin = emacs_open (pty_name, O_RDWR | O_NOCTTY, 0); @@ -1675,11 +1675,11 @@ } #endif -#ifdef O_NONBLOCK +#if O_NONBLOCK fcntl (inchannel, F_SETFL, O_NONBLOCK); fcntl (outchannel, F_SETFL, O_NONBLOCK); #else -#ifdef O_NDELAY +#if O_NDELAY fcntl (inchannel, F_SETFL, O_NDELAY); fcntl (outchannel, F_SETFL, O_NDELAY); #endif @@ -1967,7 +1967,7 @@ #if ! defined (USG) || defined (USG_SUBTTY_WORKS) /* On most USG systems it does not work to open the pty's tty here, then close it and reopen it in the child. */ -#ifdef O_NOCTTY +#if O_NOCTTY /* Don't let this terminal become our controlling terminal (in case we don't have one). */ int forkout = emacs_open (pty_name, O_RDWR | O_NOCTTY, 0); @@ -1987,11 +1987,11 @@ } #endif /* HAVE_PTYS */ -#ifdef O_NONBLOCK +#if O_NONBLOCK fcntl (inchannel, F_SETFL, O_NONBLOCK); fcntl (outchannel, F_SETFL, O_NONBLOCK); #else -#ifdef O_NDELAY +#if O_NDELAY fcntl (inchannel, F_SETFL, O_NDELAY); fcntl (outchannel, F_SETFL, O_NDELAY); #endif @@ -2951,7 +2951,7 @@ { /* Don't support network sockets when non-blocking mode is not available, since a blocked Emacs is not useful. */ -#if !defined (O_NONBLOCK) && !defined (O_NDELAY) +#if !O_NONBLOCK && !O_NDELAY error ("Network servers not supported"); #else is_server = 1; @@ -3217,7 +3217,7 @@ #ifdef NON_BLOCKING_CONNECT if (is_non_blocking_client) { -#ifdef O_NONBLOCK +#if O_NONBLOCK ret = fcntl (s, F_SETFL, O_NONBLOCK); #else ret = fcntl (s, F_SETFL, O_NDELAY); @@ -3434,10 +3434,10 @@ chan_process[inch] = proc; -#ifdef O_NONBLOCK +#if O_NONBLOCK fcntl (inch, F_SETFL, O_NONBLOCK); #else -#ifdef O_NDELAY +#if O_NDELAY fcntl (inch, F_SETFL, O_NDELAY); #endif #endif @@ -4169,10 +4169,10 @@ chan_process[s] = proc; -#ifdef O_NONBLOCK +#if O_NONBLOCK fcntl (s, F_SETFL, O_NONBLOCK); #else -#ifdef O_NDELAY +#if O_NDELAY fcntl (s, F_SETFL, O_NDELAY); #endif #endif @@ -4873,11 +4873,11 @@ #endif /* ISC 4.1 defines both EWOULDBLOCK and O_NONBLOCK, and Emacs uses O_NONBLOCK, so what we get is EAGAIN. */ -#ifdef O_NONBLOCK +#if O_NONBLOCK else if (nread == -1 && errno == EAGAIN) ; #else -#ifdef O_NDELAY +#if O_NDELAY else if (nread == -1 && errno == EAGAIN) ; /* Note that we cannot distinguish between no input @@ -7363,7 +7363,7 @@ #ifdef HAVE_GETSOCKNAME ADD_SUBFEATURE (QCservice, Qt); #endif -#if defined (O_NONBLOCK) || defined (O_NDELAY) +#if O_NONBLOCK || O_NDELAY ADD_SUBFEATURE (QCserver, Qt); #endif === modified file 'src/sysdep.c' --- src/sysdep.c 2012-10-19 19:25:18 +0000 +++ src/sysdep.c 2012-10-20 01:13:35 +0000 @@ -1216,7 +1216,7 @@ old_fcntl_owner[fileno (tty_out->input)]); } #endif /* F_SETOWN */ -#ifdef O_NDELAY +#if O_NDELAY fcntl (fileno (tty_out->input), F_SETFL, fcntl (fileno (tty_out->input), F_GETFL, 0) & ~O_NDELAY); #endif @@ -2312,12 +2312,12 @@ fd = emacs_open ((char*) port, O_RDWR -#ifdef O_NONBLOCK +#if O_NONBLOCK | O_NONBLOCK #else | O_NDELAY #endif -#ifdef O_NOCTTY +#if O_NOCTTY | O_NOCTTY #endif , 0); === modified file 'src/term.c' --- src/term.c 2012-10-19 19:25:18 +0000 +++ src/term.c 2012-10-20 01:13:35 +0000 @@ -3023,7 +3023,7 @@ int fd; FILE *file; -#ifdef O_IGNORE_CTTY +#if O_IGNORE_CTTY if (!ctty) /* Open the terminal device. Don't recognize it as our controlling terminal, and don't make it the controlling tty @@ -3054,7 +3054,7 @@ name); } -#ifndef O_IGNORE_CTTY +#if !O_IGNORE_CTTY if (!ctty) dissociate_if_controlling_tty (fd); #endif === modified file 'src/w32.c' --- src/w32.c 2012-10-19 19:25:18 +0000 +++ src/w32.c 2012-10-20 01:13:35 +0000 @@ -1597,7 +1597,7 @@ see if it succeeds. But I think that's too much to ask. */ /* MSVCRT's _access crashes with D_OK. */ - if (tmp && sys_access (tmp, D_OK) == 0) + if (tmp && sys_faccessat (AT_FDCWD, tmp, D_OK, AT_EACCESS) == 0) { char * var = alloca (strlen (tmp) + 8); sprintf (var, "TMPDIR=%s", tmp); @@ -2714,10 +2714,16 @@ long file names. */ int -sys_access (const char * path, int mode) +sys_faccessat (int dirfd, const char * path, int mode, int flags) { DWORD attributes; + if (dirfd != AT_FDCWD) + { + errno = EINVAL; + return -1; + } + /* MSVCRT implementation of 'access' doesn't recognize D_OK, and its newer versions blow up when passed D_OK. */ path = map_w32_filename (path, NULL); @@ -2960,7 +2966,7 @@ { int save_errno = errno; p[0] = first_char[i]; - if (sys_access (template, 0) < 0) + if (sys_faccessat (AT_FDCWD, template, F_OK, AT_EACCESS) < 0) { errno = save_errno; return template; @@ -4011,7 +4017,7 @@ { /* Non-absolute FILENAME is understood as being relative to LINKNAME's directory. We need to prepend that directory to - FILENAME to get correct results from sys_access below, since + FILENAME to get correct results from sys_faccessat below, since otherwise it will interpret FILENAME relative to the directory where the Emacs process runs. Note that make-symbolic-link always makes sure LINKNAME is a fully @@ -4025,10 +4031,10 @@ strncpy (tem, linkfn, p - linkfn); tem[p - linkfn] = '\0'; strcat (tem, filename); - dir_access = sys_access (tem, D_OK); + dir_access = sys_faccessat (AT_FDCWD, tem, D_OK, AT_EACCESS); } else - dir_access = sys_access (filename, D_OK); + dir_access = sys_faccessat (AT_FDCWD, filename, D_OK, AT_EACCESS); /* Since Windows distinguishes between symlinks to directories and to files, we provide a kludgy feature: if FILENAME doesn't === modified file 'src/xrdb.c' --- src/xrdb.c 2012-10-19 19:25:18 +0000 +++ src/xrdb.c 2012-10-22 05:29:15 +0000 @@ -41,7 +41,6 @@ #ifdef HAVE_PWD_H #include <pwd.h> #endif -#include <sys/stat.h> #ifdef USE_MOTIF /* For Vdouble_click_time. */ @@ -50,7 +49,6 @@ char *x_get_string_resource (XrmDatabase rdb, const char *name, const char *class); -static int file_p (const char *filename); \f /* X file search path processing. */ @@ -108,7 +106,7 @@ database associated with display. (This is x_customization_string.) - Return the expanded file name if it exists and is readable, and + Return the resource database if its file was read successfully, and refers to %L only when the LANG environment variable is set, or otherwise provided by X. @@ -117,10 +115,11 @@ Return NULL otherwise. */ -static char * -magic_file_p (const char *string, ptrdiff_t string_len, const char *class, - const char *escaped_suffix) +static XrmDatabase +magic_db (const char *string, ptrdiff_t string_len, const char *class, + const char *escaped_suffix) { + XrmDatabase db; char *lang = getenv ("LANG"); ptrdiff_t path_size = 100; @@ -217,14 +216,9 @@ } path[path_len] = '\0'; - - if (! file_p (path)) - { - xfree (path); - return NULL; - } - - return path; + db = XrmGetFileDatabase (path); + xfree (path); + return db; } @@ -258,22 +252,11 @@ } -static int -file_p (const char *filename) -{ - struct stat status; - - return (access (filename, 4) == 0 /* exists and is readable */ - && stat (filename, &status) == 0 /* get the status */ - && (S_ISDIR (status.st_mode)) == 0); /* not a directory */ -} - - /* Find the first element of SEARCH_PATH which exists and is readable, after expanding the %-escapes. Return 0 if we didn't find any, and the path name of the one we found otherwise. */ -static char * +static XrmDatabase search_magic_path (const char *search_path, const char *class, const char *escaped_suffix) { @@ -286,18 +269,16 @@ if (p > s) { - char *path = magic_file_p (s, p - s, class, escaped_suffix); - if (path) - return path; + XrmDatabase db = magic_db (s, p - s, class, escaped_suffix); + if (db) + return db; } else if (*p == ':') { - char *path; - - s = "%N%S"; - path = magic_file_p (s, strlen (s), class, escaped_suffix); - if (path) - return path; + static char const ns[] = "%N%S"; + XrmDatabase db = magic_db (ns, strlen (ns), class, escaped_suffix); + if (db) + return db; } if (*p == ':') @@ -312,21 +293,12 @@ static XrmDatabase get_system_app (const char *class) { - XrmDatabase db = NULL; const char *path; - char *p; path = getenv ("XFILESEARCHPATH"); if (! path) path = PATH_X_DEFAULTS; - p = search_magic_path (path, class, 0); - if (p) - { - db = XrmGetFileDatabase (p); - xfree (p); - } - - return db; + return search_magic_path (path, class, 0); } @@ -340,35 +312,40 @@ static XrmDatabase get_user_app (const char *class) { + XrmDatabase db = 0; const char *path; - char *file = 0; - char *free_it = 0; /* Check for XUSERFILESEARCHPATH. It is a path of complete file names, not directories. */ - if (((path = getenv ("XUSERFILESEARCHPATH")) - && (file = search_magic_path (path, class, 0))) + path = getenv ("XUSERFILESEARCHPATH"); + if (path) + db = search_magic_path (path, class, 0); + if (! db) + { /* Check for APPLRESDIR; it is a path of directories. In each, we have to search for LANG/CLASS and then CLASS. */ - || ((path = getenv ("XAPPLRESDIR")) - && ((file = search_magic_path (path, class, "/%L/%N")) - || (file = search_magic_path (path, class, "/%N")))) + path = getenv ("XAPPLRESDIR"); + if (path) + { + db = search_magic_path (path, class, "/%L/%N"); + if (!db) + db = search_magic_path (path, class, "/%N"); + } + } + if (! db) + { /* Check in the home directory. This is a bit of a hack; let's hope one's home directory doesn't contain any %-escapes. */ - || (free_it = gethomedir (), - ((file = search_magic_path (free_it, class, "%L/%N")) - || (file = search_magic_path (free_it, class, "%N"))))) - { - XrmDatabase db = XrmGetFileDatabase (file); - xfree (file); - xfree (free_it); - return db; + char *home = gethomedir (); + db = search_magic_path (home, class, "%L/%N"); + if (! db) + db = search_magic_path (home, class, "%N"); + xfree (home); } - xfree (free_it); - return NULL; + return db; } ^ permalink raw reply [flat|nested] 47+ messages in thread
* bug#12632: file permissions checking mishandled when setuid 2012-10-22 6:03 ` Paul Eggert @ 2012-10-22 17:19 ` Eli Zaretskii 2012-10-22 20:33 ` Paul Eggert 0 siblings, 1 reply; 47+ messages in thread From: Eli Zaretskii @ 2012-10-22 17:19 UTC (permalink / raw) To: Paul Eggert; +Cc: 12632 > Date: Sun, 21 Oct 2012 23:03:30 -0700 > From: Paul Eggert <eggert@cs.ucla.edu> > Cc: 12632@debbugs.gnu.org > > +/* If FILE is a searchable directory or a symlink to a > + searchable directory, return true. Otherwise return > + false and set errno to an error number. */ > +bool > +file_accessible_directory_p (char const *file) > +{ > + ptrdiff_t len = strlen (file); > + bool ok; > + int faccessat_errno; > + USE_SAFE_ALLOCA; > + > + /* Normally a file F is an accessible directory if F/. is accessible. > + But omit the "/." if F is empty, as "" is not "/."; and omit the > + "/" if F ends in "/", as on some platforms "/" != "//". */ > + if (len) > + { > + char *buf = SAFE_ALLOCA (len + 3); > + memcpy (buf, file, len); > + strcpy (buf + len, "/." + (file[len - 1] == '/')); > + file = buf; > + } I think this should use IS_DIRECTORY_SEP instead of a literal '/'. > int > -sys_access (const char * path, int mode) > +sys_faccessat (int dirfd, const char * path, int mode, int flags) > { > DWORD attributes; > > + if (dirfd != AT_FDCWD) > + { > + errno = EINVAL; > + return -1; > + } My reading of Posix is that this should set errno to EBADF, not EINVAL. There's also a problem that sys_faccessat won't have a prototype, so compiling with -std=gnu99 will issue a warning, but that's not fatal, and we can add that later. ^ permalink raw reply [flat|nested] 47+ messages in thread
* bug#12632: file permissions checking mishandled when setuid 2012-10-22 17:19 ` Eli Zaretskii @ 2012-10-22 20:33 ` Paul Eggert 2012-10-22 21:04 ` Eli Zaretskii 0 siblings, 1 reply; 47+ messages in thread From: Paul Eggert @ 2012-10-22 20:33 UTC (permalink / raw) To: Eli Zaretskii; +Cc: 12632 On 10/22/2012 10:19 AM, Eli Zaretskii wrote: > My reading of Posix is that this should set errno to EBADF, not > EINVAL. Thanks, I'll fix that. >> + /* Normally a file F is an accessible directory if F/. is accessible. >> + But omit the "/." if F is empty, as "" is not "/."; and omit the >> + "/" if F ends in "/", as on some platforms "/" != "//". */ >> + if (len) >> + { >> + char *buf = SAFE_ALLOCA (len + 3); >> + memcpy (buf, file, len); >> + strcpy (buf + len, "/." + (file[len - 1] == '/')); >> + file = buf; >> + } > > I think this should use IS_DIRECTORY_SEP instead of a literal '/'. It should work as-is, no? It's true that on Windows, backslash is also a directory separator. But I don't see any harm done if we append '/.' to a file name that ends in backslash. For example, if the file name is 'FOO\' and we append '/.' to make it 'FOO\/.', the test should succeed if FOO is a searchable directory and should fail otherwise, which is what is wanted here. Another way to put it is that the test against trailing slash is only for the benefit of platforms where '/' != '//', and Windows is not such a platform. ^ permalink raw reply [flat|nested] 47+ messages in thread
* bug#12632: file permissions checking mishandled when setuid 2012-10-22 20:33 ` Paul Eggert @ 2012-10-22 21:04 ` Eli Zaretskii 2012-10-22 21:30 ` Paul Eggert 0 siblings, 1 reply; 47+ messages in thread From: Eli Zaretskii @ 2012-10-22 21:04 UTC (permalink / raw) To: Paul Eggert; +Cc: 12632 > Date: Mon, 22 Oct 2012 13:33:34 -0700 > From: Paul Eggert <eggert@cs.ucla.edu> > CC: rgm@gnu.org, 12632@debbugs.gnu.org > > >> + /* Normally a file F is an accessible directory if F/. is accessible. > >> + But omit the "/." if F is empty, as "" is not "/."; and omit the > >> + "/" if F ends in "/", as on some platforms "/" != "//". */ > >> + if (len) > >> + { > >> + char *buf = SAFE_ALLOCA (len + 3); > >> + memcpy (buf, file, len); > >> + strcpy (buf + len, "/." + (file[len - 1] == '/')); > >> + file = buf; > >> + } > > > > I think this should use IS_DIRECTORY_SEP instead of a literal '/'. > > It should work as-is, no? It's true that on Windows, backslash is > also a directory separator. But I don't see any harm done if we append > '/.' to a file name that ends in backslash. I meant the test (file[len - 1] == '/'). > For example, if the file name is 'FOO\' and we append '/.' to make > it 'FOO\/.', the test should succeed if FOO is a searchable > directory It doesn't necessarily succeed. Windows file APIs are picky wrt trailing slashes. And the result is ugly, and the code looks wrong. We use IS_DIRECTORY_SEP in other places, so why avoid it here? > Another way to put it is that the test against trailing slash is only > for the benefit of platforms where '/' != '//', and Windows is not > such a platform. Yes, Windows _is_ such a platform, "//foo/bar" and "/foo/bar" are very different things there. ^ permalink raw reply [flat|nested] 47+ messages in thread
* bug#12632: file permissions checking mishandled when setuid 2012-10-22 21:04 ` Eli Zaretskii @ 2012-10-22 21:30 ` Paul Eggert 2012-10-23 0:40 ` Stefan Monnier 2012-10-23 3:47 ` Eli Zaretskii 0 siblings, 2 replies; 47+ messages in thread From: Paul Eggert @ 2012-10-22 21:30 UTC (permalink / raw) To: Eli Zaretskii; +Cc: 12632 On 10/22/2012 02:04 PM, Eli Zaretskii wrote: > Windows _is_ such a platform, "//foo/bar" and "/foo/bar" are very > different things there. What is the difference, from the point of view of the test? The test is concerned only with trailing separators, not with leading ones, so it shouldn't matter that "//foo/bar" and "/foo/bar" might be different. Is it possible in Windows that the searchability of the file named "//" differs from the searchability of "/"? Or that the searchability of "\/" differs from that of "\"? Could you explain a scenario where that might happen? (By "searchable", I mean that the file is a directory and one can resolve file names within that directory.) Emacs currently assumes that all directories are searchable on Windows, so any such scenario would break Emacs elsewhere, right? If "/" and "//" and "\/" and "\" are always searchable, it shouldn't matter which Emacs tested. > Windows file APIs are picky wrt trailing slashes. Can you give an example of how that might affect the test? It's OK if Windows is picky about trailing slashes -- POSIX platforms are too -- all that matters is whether the pickiness derails the test. > We use IS_DIRECTORY_SEP in other places, so why avoid it here? If it's not needed, it makes the code a bit harder to read. ^ permalink raw reply [flat|nested] 47+ messages in thread
* bug#12632: file permissions checking mishandled when setuid 2012-10-22 21:30 ` Paul Eggert @ 2012-10-23 0:40 ` Stefan Monnier 2012-10-23 1:46 ` Paul Eggert 2012-10-23 3:47 ` Eli Zaretskii 1 sibling, 1 reply; 47+ messages in thread From: Stefan Monnier @ 2012-10-23 0:40 UTC (permalink / raw) To: Paul Eggert; +Cc: 12632 >> We use IS_DIRECTORY_SEP in other places, so why avoid it here? > If it's not needed, it makes the code a bit harder to read. I don't see why. The name says very clearly what it is intended to do. On the contrary, it seems more clear than comparing with '/' which only makes sense if you happen to know that / is the special char used as directory-separator. Stefan ^ permalink raw reply [flat|nested] 47+ messages in thread
* bug#12632: file permissions checking mishandled when setuid 2012-10-23 0:40 ` Stefan Monnier @ 2012-10-23 1:46 ` Paul Eggert 2012-10-23 3:49 ` Eli Zaretskii 0 siblings, 1 reply; 47+ messages in thread From: Paul Eggert @ 2012-10-23 1:46 UTC (permalink / raw) To: Stefan Monnier; +Cc: 12632 On 10/22/2012 05:40 PM, Stefan Monnier wrote: >>> We use IS_DIRECTORY_SEP in other places, so why avoid it here? >> > If it's not needed, it makes the code a bit harder to read. > I don't see why. The name says very clearly what it is intended to do. > On the contrary, it seems more clear than comparing with '/' which only > makes sense if you happen to know that / is the special char used as > directory-separator. Using IS_DIRECTORY_SEP indicates that it's necessary to process a file name using a system-dependent interpretation rather than the standard POSIX interpretation. When plain X=='/' would do, it can mislead the reader if the code does IS_DIRECTORY_SEP (X), as the reader may naturally (and mistakenly) infer that the code was written that way because it must treat '\' specially on Windows. It's primarily this clarity, not the brevity, that I was referring to. ^ permalink raw reply [flat|nested] 47+ messages in thread
* bug#12632: file permissions checking mishandled when setuid 2012-10-23 1:46 ` Paul Eggert @ 2012-10-23 3:49 ` Eli Zaretskii 0 siblings, 0 replies; 47+ messages in thread From: Eli Zaretskii @ 2012-10-23 3:49 UTC (permalink / raw) To: Paul Eggert; +Cc: 12632 > Date: Mon, 22 Oct 2012 18:46:56 -0700 > From: Paul Eggert <eggert@cs.ucla.edu> > CC: Eli Zaretskii <eliz@gnu.org>, 12632@debbugs.gnu.org > > On 10/22/2012 05:40 PM, Stefan Monnier wrote: > >>> We use IS_DIRECTORY_SEP in other places, so why avoid it here? > >> > If it's not needed, it makes the code a bit harder to read. > > I don't see why. The name says very clearly what it is intended to do. > > On the contrary, it seems more clear than comparing with '/' which only > > makes sense if you happen to know that / is the special char used as > > directory-separator. > > Using IS_DIRECTORY_SEP indicates that it's necessary to > process a file name using a system-dependent interpretation > rather than the standard POSIX interpretation. When > plain X=='/' would do, it can mislead the reader if the code > does IS_DIRECTORY_SEP (X), as the reader may naturally (and > mistakenly) infer that the code was written that way because > it must treat '\' specially on Windows. Which is the case, so there's no misleading. > It's primarily this clarity, not the brevity, that I was referring > to. This argument is a waste of everybody's time. Feel free to leave the test as it is, I will fix that after you commit the changeset. ^ permalink raw reply [flat|nested] 47+ messages in thread
* bug#12632: file permissions checking mishandled when setuid 2012-10-22 21:30 ` Paul Eggert 2012-10-23 0:40 ` Stefan Monnier @ 2012-10-23 3:47 ` Eli Zaretskii 2012-10-23 5:07 ` Paul Eggert 1 sibling, 1 reply; 47+ messages in thread From: Eli Zaretskii @ 2012-10-23 3:47 UTC (permalink / raw) To: Paul Eggert; +Cc: 12632 > Date: Mon, 22 Oct 2012 14:30:41 -0700 > From: Paul Eggert <eggert@cs.ucla.edu> > CC: rgm@gnu.org, 12632@debbugs.gnu.org > > Is it possible in Windows that the searchability of the file named "//" > differs from the searchability of "/"? Or that the searchability > of "\/" differs from that of "\"? Both is true. // or \\ or \/ starts a UNC, and Windows expects the following to be the name of a remote machine. / or \ is just the root directory of the current drive. > Emacs currently assumes that all directories are searchable on > Windows, so any such scenario would break Emacs elsewhere, right? expand-file-name already handles the UNC case. > > Windows file APIs are picky wrt trailing slashes. > > Can you give an example of how that might affect the test? The call to faccessat could fail, just because of the "\/." at the end of the file name. > > We use IS_DIRECTORY_SEP in other places, so why avoid it here? > > If it's not needed, it makes the code a bit harder to read. I disagree. ^ permalink raw reply [flat|nested] 47+ messages in thread
* bug#12632: file permissions checking mishandled when setuid 2012-10-23 3:47 ` Eli Zaretskii @ 2012-10-23 5:07 ` Paul Eggert 2012-10-23 16:44 ` Eli Zaretskii 0 siblings, 1 reply; 47+ messages in thread From: Paul Eggert @ 2012-10-23 5:07 UTC (permalink / raw) To: Eli Zaretskii; +Cc: 12632 On 10/22/2012 08:47 PM, Eli Zaretskii wrote: >> > Is it possible in Windows that the searchability of the file named "//" >> > differs from the searchability of "/"? Or that the searchability >> > of "\/" differs from that of "\"? > Both is true. // or \\ or \/ starts a UNC, and Windows expects the > following to be the name of a remote machine. / or \ is just the root > directory of the current drive. Sorry, apparently I wasn't clear. I wasn't asking about names like //remotemachine or /directory, as names like that should not be affected by this issue. I was asking about bare // and bare / and their aliases with backslash. Let me try to be more concrete. Which of the following calls can fail on Windows in the current Emacs trunk, and why? sys_access ("/", D_OK) sys_access ("/.", D_OK) sys_access ("\\", D_OK) sys_access ("\\.", D_OK) sys_access ("//", D_OK) sys_access ("//.", D_OK) sys_access ("/\\", D_OK) sys_access ("/\\.", D_OK) sys_access ("\\/", D_OK) sys_access ("\\/.", D_OK) sys_access ("\\\\", D_OK) sys_access ("\\\\.", D_OK) sys_access ("///", D_OK) sys_access ("///.", D_OK) >> Can you give an example of how that might affect the test? > > The call to faccessat could fail, just because of the "\/." at the > end of the file name. Sorry, I don't follow this example. The code doesn't append backslash-slash-dot; it appends slash-dot. Are you saying that in the current trunk, sys_access ("\\", D_OK) can succeed but sys_access ("\\/.", D_OK) can fail when presented with the same file system? ^ permalink raw reply [flat|nested] 47+ messages in thread
* bug#12632: file permissions checking mishandled when setuid 2012-10-23 5:07 ` Paul Eggert @ 2012-10-23 16:44 ` Eli Zaretskii 2012-10-23 19:27 ` Paul Eggert 0 siblings, 1 reply; 47+ messages in thread From: Eli Zaretskii @ 2012-10-23 16:44 UTC (permalink / raw) To: Paul Eggert; +Cc: 12632 > Date: Mon, 22 Oct 2012 22:07:16 -0700 > From: Paul Eggert <eggert@cs.ucla.edu> > CC: rgm@gnu.org, 12632@debbugs.gnu.org > > Which of the following calls can fail on Windows in the current > Emacs trunk, and why? > > sys_access ("/", D_OK) sys_access ("/.", D_OK) > sys_access ("\\", D_OK) sys_access ("\\.", D_OK) > sys_access ("//", D_OK) sys_access ("//.", D_OK) > sys_access ("/\\", D_OK) sys_access ("/\\.", D_OK) > sys_access ("\\/", D_OK) sys_access ("\\/.", D_OK) > sys_access ("\\\\", D_OK) sys_access ("\\\\.", D_OK) > sys_access ("///", D_OK) sys_access ("///.", D_OK) Sorry, I cannot afford doing this research. Some of these file names have no meaning at all, so they are prone to undefined behavior. Others, like "//.", are downright dangerous, because "\\.\" begins a device name on Windows. With these arcana notoriously under-documented by MS, it is anybody's guess what such names can do in what APIs. I'm trying to avoid potential problems before they have a chance to screw some user. I don't see a reason to seek a 110% provable test case, when the issue at hand is a single use of a macro that is used all over the place in Emacs. There isn't a single comparison with a literal '/' in fileio.c, with the sole exception of supporting the "/:" magic. More than 50 instances of IS_DIRECTORY_SEP, just in that one file (and several dozens more elsewhere in Emacs), are the evidence that IS_DIRECTORY_SEP _is_ the norm, whereas a literal slash is an exception. Contrary to your original claim, using '/' will confuse the reader into thinking that this particular function does something special, like the code which looks for the "/:" magic, while using IS_DIRECTORY_SEP will look like any other code we have, and will also DTRT instead of relying on "maybe it will work". > > The call to faccessat could fail, just because of the "\/." at the > > end of the file name. > > Sorry, I don't follow this example. The code doesn't append > backslash-slash-dot; it appends slash-dot. Are you saying that > in the current trunk, sys_access ("\\", D_OK) can succeed > but sys_access ("\\/.", D_OK) can fail when presented with > the same file system? No, I'm saying that if the function is called with "d:\foo\", it will call faccessat with "d:\foo\/." as the argument, which has "\/." at the end of the file name. Testing with IS_DIRECTORY_SEP will avoid this and call faccessat with "d:\foo/.". The latter is a valid file name, while the former is not. ^ permalink raw reply [flat|nested] 47+ messages in thread
* bug#12632: file permissions checking mishandled when setuid 2012-10-23 16:44 ` Eli Zaretskii @ 2012-10-23 19:27 ` Paul Eggert 2012-10-23 19:50 ` Eli Zaretskii 2012-10-23 23:15 ` Andy Moreton 0 siblings, 2 replies; 47+ messages in thread From: Paul Eggert @ 2012-10-23 19:27 UTC (permalink / raw) To: Eli Zaretskii; +Cc: 12632 On 10/23/2012 09:44 AM, Eli Zaretskii wrote: > Others, like "//.", are downright dangerous, because "\\.\" begins a > device name on Windows. With these arcana notoriously > under-documented by MS, it is anybody's guess what such names can do > in what APIs. OK, thanks for explaining: I did not know about that syntax, or about the behavior being undocumented and undefined. Also, come to think of it, there will be problems with drive prefixes. Rather than try to fix these problems, which are on a platform I'm not familiar with, I'll change the proposed code to do the following. This should be safe since it is what the trunk currently does now (modulo some refactoring) when on DOS or Windows platforms. And it can be tuned for DOS and Windows later, as needed. /* If FILE is a searchable directory or a symlink to a searchable directory, return true. Otherwise return false and set errno to an error number. */ bool file_accessible_directory_p (char const *file) { #ifdef DOS_NT /* File names may have drive prefixes and "/" is not the only separator, so the POSIXish approach doesn't work in general. Use a straightforward approach instead. */ return file_directory_p (file) && check_executable (file); #else /* On POSIXish platforms, use just one system call; this avoids a race and is typically faster. */ ptrdiff_t len = strlen (file); char const *dir; bool ok; int saved_errno; USE_SAFE_ALLOCA; /* Normally a file "FOO" is an accessible directory if "FOO/." exists. There are three exceptions: "", "/", and "//". Leave "" alone, as it's invalid. Append only "." to the other two exceptions as "/" and "//" are distinct on some platforms, whereas "/", "///", "////", etc. are all equivalent. */ if (! len) dir = file; else { /* Just check for trailing '/' when deciding whether to append '/'. That's simpler than testing the two special cases "/" and "//", and it's a safe optimization here. */ char *buf = SAFE_ALLOCA (len + 3); memcpy (buf, file, len); strcpy (buf + len, "/." + (file[len - 1] == '/')); dir = buf; } ok = check_existing (dir); saved_errno = errno; SAFE_FREE (); errno = saved_errno; return ok; #endif } ^ permalink raw reply [flat|nested] 47+ messages in thread
* bug#12632: file permissions checking mishandled when setuid 2012-10-23 19:27 ` Paul Eggert @ 2012-10-23 19:50 ` Eli Zaretskii 2012-10-23 20:01 ` Paul Eggert 2012-10-23 23:15 ` Andy Moreton 1 sibling, 1 reply; 47+ messages in thread From: Eli Zaretskii @ 2012-10-23 19:50 UTC (permalink / raw) To: Paul Eggert; +Cc: 12632 > Date: Tue, 23 Oct 2012 12:27:21 -0700 > From: Paul Eggert <eggert@cs.ucla.edu> > CC: rgm@gnu.org, 12632@debbugs.gnu.org > > Rather than try to fix these problems, which are on a platform > I'm not familiar with, I'll change the proposed code to > do the following. This should be safe since it is what the > trunk currently does now (modulo some refactoring) when on > DOS or Windows platforms. And it can be tuned for DOS and > Windows later, as needed. > > /* If FILE is a searchable directory or a symlink to a > searchable directory, return true. Otherwise return > false and set errno to an error number. */ > bool > file_accessible_directory_p (char const *file) > { > #ifdef DOS_NT > /* File names may have drive prefixes and "/" is not the only > separator, so the POSIXish approach doesn't work in general. > Use a straightforward approach instead. */ > return file_directory_p (file) && check_executable (file); Just file_directory_p is enough, the other test adds no useful information that isn't already gathered by the first test. (The executable bit of a directory is invented on DOS_NT platforms, it doesn't exist on disk.) ^ permalink raw reply [flat|nested] 47+ messages in thread
* bug#12632: file permissions checking mishandled when setuid 2012-10-23 19:50 ` Eli Zaretskii @ 2012-10-23 20:01 ` Paul Eggert 0 siblings, 0 replies; 47+ messages in thread From: Paul Eggert @ 2012-10-23 20:01 UTC (permalink / raw) To: Eli Zaretskii; +Cc: 12632 On 10/23/2012 12:50 PM, Eli Zaretskii wrote: > Just file_directory_p is enough Thanks, I'll simplify that part to: bool file_accessible_directory_p (char const *file) { #ifdef DOS_NT /* There's no need to test whether FILE is searchable, as the searchable/executable bit is invented on DOS_NT platforms. */ return file_directory_p (file); #else ... same as before ... #endif } ^ permalink raw reply [flat|nested] 47+ messages in thread
* bug#12632: file permissions checking mishandled when setuid 2012-10-23 19:27 ` Paul Eggert 2012-10-23 19:50 ` Eli Zaretskii @ 2012-10-23 23:15 ` Andy Moreton 2012-10-24 3:51 ` Eli Zaretskii 1 sibling, 1 reply; 47+ messages in thread From: Andy Moreton @ 2012-10-23 23:15 UTC (permalink / raw) To: 12632 On Tue 23 Oct 2012, Paul Eggert wrote: > On 10/23/2012 09:44 AM, Eli Zaretskii wrote: >> Others, like "//.", are downright dangerous, because "\\.\" begins a >> device name on Windows. With these arcana notoriously >> under-documented by MS, it is anybody's guess what such names can do >> in what APIs. > > OK, thanks for explaining: I did not know about that syntax, > or about the behavior being undocumented and undefined. > Also, come to think of it, there will be problems with > drive prefixes. FYI it is documented - see "Win32 Device Namespaces": http://msdn.microsoft.com/en-us/library/windows/desktop/aa365247%28v=vs.85%29.aspx Of course as Eli suggests, this documentation may not be the whole story, as you still need to know which names and namespaces are supported by a given API (and on which versions of Windows). AndyM ^ permalink raw reply [flat|nested] 47+ messages in thread
* bug#12632: file permissions checking mishandled when setuid 2012-10-23 23:15 ` Andy Moreton @ 2012-10-24 3:51 ` Eli Zaretskii 0 siblings, 0 replies; 47+ messages in thread From: Eli Zaretskii @ 2012-10-24 3:51 UTC (permalink / raw) To: Andy Moreton; +Cc: 12632 > From: Andy Moreton <andrewjmoreton@gmail.com> > Date: Wed, 24 Oct 2012 00:15:09 +0100 > > FYI it is documented - see "Win32 Device Namespaces": > http://msdn.microsoft.com/en-us/library/windows/desktop/aa365247%28v=vs.85%29.aspx > > Of course as Eli suggests, this documentation may not be the whole > story, as you still need to know which names and namespaces are > supported by a given API (and on which versions of Windows). That's one thing that's missing, yes. Another is how exactly a file name of an arbitrary form is normalized by each API, which is exactly the issue here. ^ permalink raw reply [flat|nested] 47+ messages in thread
* bug#12632: file permissions checking mishandled when setuid 2012-10-19 18:54 ` Paul Eggert 2012-10-19 19:05 ` Glenn Morris @ 2012-10-19 19:10 ` Eli Zaretskii 1 sibling, 0 replies; 47+ messages in thread From: Eli Zaretskii @ 2012-10-19 19:10 UTC (permalink / raw) To: Paul Eggert; +Cc: 12632 > Date: Fri, 19 Oct 2012 11:54:23 -0700 > From: Paul Eggert <eggert@cs.ucla.edu> > CC: 12632@debbugs.gnu.org > > On 10/19/2012 11:41 AM, Eli Zaretskii wrote: > > Why are we doing such changes during a feature freeze? > > To fix a bug. It's similar to trunk bzr 110520, No, it isn't. ^ permalink raw reply [flat|nested] 47+ messages in thread
* bug#12632: updated version of the patch 2012-10-13 1:58 bug#12632: file permissions checking mishandled when setuid Paul Eggert 2012-10-13 7:23 ` Eli Zaretskii @ 2012-11-13 2:19 ` Paul Eggert 2012-11-14 5:10 ` Paul Eggert 1 sibling, 1 reply; 47+ messages in thread From: Paul Eggert @ 2012-11-13 2:19 UTC (permalink / raw) To: 12632 [-- Attachment #1: Type: text/plain, Size: 205 bytes --] I updated the patch so that it applies cleanly to the Emacs trunk (bzr 110875) and would like to install it soon. This reflects the comments about the previous patch. Revised patch (compressed) attached. [-- Attachment #2: euidaccess.txt.gz --] [-- Type: application/x-gzip, Size: 25975 bytes --] ^ permalink raw reply [flat|nested] 47+ messages in thread
* bug#12632: updated version of the patch 2012-11-13 2:19 ` bug#12632: updated version of the patch Paul Eggert @ 2012-11-14 5:10 ` Paul Eggert 0 siblings, 0 replies; 47+ messages in thread From: Paul Eggert @ 2012-11-14 5:10 UTC (permalink / raw) To: 12632-done I installed the patch as trunk bzr 110889 and am marking this as done. ^ permalink raw reply [flat|nested] 47+ messages in thread
end of thread, other threads:[~2012-11-14 5:10 UTC | newest] Thread overview: 47+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2012-10-13 1:58 bug#12632: file permissions checking mishandled when setuid Paul Eggert 2012-10-13 7:23 ` Eli Zaretskii 2012-10-13 8:36 ` Eli Zaretskii 2012-10-14 6:16 ` Paul Eggert 2012-10-14 6:56 ` Eli Zaretskii 2012-10-14 18:14 ` Paul Eggert 2012-10-14 18:39 ` Eli Zaretskii 2012-10-14 19:42 ` Paul Eggert 2012-10-14 20:10 ` Eli Zaretskii 2012-10-14 20:17 ` Eli Zaretskii 2012-10-14 20:40 ` Paul Eggert 2012-10-14 20:53 ` Eli Zaretskii 2012-10-15 6:17 ` Paul Eggert 2012-10-15 17:31 ` Eli Zaretskii 2012-10-15 21:38 ` Paul Eggert 2012-10-16 3:46 ` Eli Zaretskii 2012-10-16 6:00 ` Paul Eggert 2012-10-16 16:36 ` Eli Zaretskii 2012-10-19 17:01 ` Paul Eggert 2012-10-19 18:41 ` Eli Zaretskii 2012-10-19 18:54 ` Paul Eggert 2012-10-19 19:05 ` Glenn Morris 2012-10-19 19:36 ` Paul Eggert 2012-10-20 2:25 ` Richard Stallman 2012-10-20 4:36 ` Paul Eggert 2012-10-21 1:44 ` Glenn Morris 2012-10-21 2:52 ` Paul Eggert 2012-10-21 4:24 ` Glenn Morris 2012-10-22 6:03 ` Paul Eggert 2012-10-22 17:19 ` Eli Zaretskii 2012-10-22 20:33 ` Paul Eggert 2012-10-22 21:04 ` Eli Zaretskii 2012-10-22 21:30 ` Paul Eggert 2012-10-23 0:40 ` Stefan Monnier 2012-10-23 1:46 ` Paul Eggert 2012-10-23 3:49 ` Eli Zaretskii 2012-10-23 3:47 ` Eli Zaretskii 2012-10-23 5:07 ` Paul Eggert 2012-10-23 16:44 ` Eli Zaretskii 2012-10-23 19:27 ` Paul Eggert 2012-10-23 19:50 ` Eli Zaretskii 2012-10-23 20:01 ` Paul Eggert 2012-10-23 23:15 ` Andy Moreton 2012-10-24 3:51 ` Eli Zaretskii 2012-10-19 19:10 ` Eli Zaretskii 2012-11-13 2:19 ` bug#12632: updated version of the patch Paul Eggert 2012-11-14 5:10 ` Paul Eggert
Code repositories for project(s) associated with this external index https://git.savannah.gnu.org/cgit/emacs.git https://git.savannah.gnu.org/cgit/emacs/org-mode.git This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.