From: Eli Zaretskii <eliz@gnu.org>
To: Paul Eggert <eggert@cs.ucla.edu>
Cc: 12632@debbugs.gnu.org
Subject: bug#12632: file permissions checking mishandled when setuid
Date: Sun, 14 Oct 2012 08:56:57 +0200 [thread overview]
Message-ID: <83fw5h5yo6.fsf@gnu.org> (raw)
In-Reply-To: <507A58CC.10209@cs.ucla.edu>
> Date: Sat, 13 Oct 2012 23:16:44 -0700
> From: Paul Eggert <eggert@cs.ucla.edu>
> CC: 12632@debbugs.gnu.org
>
> > How will the new code work if 'dir' is nil?
>
> 'dir' can't be nil there.
file-name-directory can return nil, so 'dir' can be nil if the
function is called with a name of a non-exiting file that has no
leading directories.
> > Also, what about lread.c:openp, around line 1555: doesn't it want
> > 'euidaccess' as well, rather than 'stat'?
>
> Sure, we can do that. Done in the revised patch.
> [...]
> +
> + /* Check that we can access or open it. */
> + if (NATNUMP (predicate))
> + fd = (((XFASTINT (predicate) & ~INT_MAX) == 0
> + && euidaccess (pfn, XFASTINT (predicate)) == 0
> + && ! file_directory_p (pfn))
> + ? 1 : -1);
> + else
This won't compile on Windows, since there's no 'euidaccess' (yet).
> if (STRINGP (dirfile))
> {
> dirfile = Fdirectory_file_name (dirfile);
> - if (access (SSDATA (dirfile), 0) < 0)
> + if (euidaccess (SSDATA (dirfile), F_OK) != 0)
> dir_warning ("Warning: Lisp directory `%s' does not exist.\n",
> XCAR (path_tail));
> }
Same here.
> > I don't understand why is it a good idea to use 'euidaccess' in
> > check_existing. Isn't the fact of the mere existence of a file
> > independent of user's access rights?
>
> No, because you cannot even stat a file that's in a directory that you
> can't search. Using 'access' rather than 'euidaccess' might
> let a setuid Emacs search directories that it shouldn't be able
> to search, or vice versa.
But that's not a concern for check_existing, I think. That's a
concern for check_writable, file-accessible-directory, etc.
IOW, Emacs should be able to test whether a file exists even if it
will be unable to access it later.
In any case, using 'euidaccess' here subtly changes the semantics of
file-exists-p, so if we decide to do that, it should be documented as
an incompatible change.
next prev parent reply other threads:[~2012-10-14 6:56 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-10-13 1:58 bug#12632: file permissions checking mishandled when setuid Paul Eggert
2012-10-13 7:23 ` Eli Zaretskii
2012-10-13 8:36 ` Eli Zaretskii
2012-10-14 6:16 ` Paul Eggert
2012-10-14 6:56 ` Eli Zaretskii [this message]
2012-10-14 18:14 ` Paul Eggert
2012-10-14 18:39 ` Eli Zaretskii
2012-10-14 19:42 ` Paul Eggert
2012-10-14 20:10 ` Eli Zaretskii
2012-10-14 20:17 ` Eli Zaretskii
2012-10-14 20:40 ` Paul Eggert
2012-10-14 20:53 ` Eli Zaretskii
2012-10-15 6:17 ` Paul Eggert
2012-10-15 17:31 ` Eli Zaretskii
2012-10-15 21:38 ` Paul Eggert
2012-10-16 3:46 ` Eli Zaretskii
2012-10-16 6:00 ` Paul Eggert
2012-10-16 16:36 ` Eli Zaretskii
2012-10-19 17:01 ` Paul Eggert
2012-10-19 18:41 ` Eli Zaretskii
2012-10-19 18:54 ` Paul Eggert
2012-10-19 19:05 ` Glenn Morris
2012-10-19 19:36 ` Paul Eggert
2012-10-20 2:25 ` Richard Stallman
2012-10-20 4:36 ` Paul Eggert
2012-10-21 1:44 ` Glenn Morris
2012-10-21 2:52 ` Paul Eggert
2012-10-21 4:24 ` Glenn Morris
2012-10-22 6:03 ` Paul Eggert
2012-10-22 17:19 ` Eli Zaretskii
2012-10-22 20:33 ` Paul Eggert
2012-10-22 21:04 ` Eli Zaretskii
2012-10-22 21:30 ` Paul Eggert
2012-10-23 0:40 ` Stefan Monnier
2012-10-23 1:46 ` Paul Eggert
2012-10-23 3:49 ` Eli Zaretskii
2012-10-23 3:47 ` Eli Zaretskii
2012-10-23 5:07 ` Paul Eggert
2012-10-23 16:44 ` Eli Zaretskii
2012-10-23 19:27 ` Paul Eggert
2012-10-23 19:50 ` Eli Zaretskii
2012-10-23 20:01 ` Paul Eggert
2012-10-23 23:15 ` Andy Moreton
2012-10-24 3:51 ` Eli Zaretskii
2012-10-19 19:10 ` Eli Zaretskii
2012-11-13 2:19 ` bug#12632: updated version of the patch Paul Eggert
2012-11-14 5:10 ` Paul Eggert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=83fw5h5yo6.fsf@gnu.org \
--to=eliz@gnu.org \
--cc=12632@debbugs.gnu.org \
--cc=eggert@cs.ucla.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/emacs.git
https://git.savannah.gnu.org/cgit/emacs/org-mode.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.