From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Eli Zaretskii Newsgroups: gmane.emacs.bugs Subject: bug#12632: file permissions checking mishandled when setuid Date: Sun, 14 Oct 2012 08:56:57 +0200 Message-ID: <83fw5h5yo6.fsf@gnu.org> References: <5078CAB6.7020509@cs.ucla.edu> <83fw5i7s4p.fsf@gnu.org> <83a9vq7oqh.fsf@gnu.org> <507A58CC.10209@cs.ucla.edu> Reply-To: Eli Zaretskii NNTP-Posting-Host: plane.gmane.org X-Trace: ger.gmane.org 1350197889 9080 80.91.229.3 (14 Oct 2012 06:58:09 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Sun, 14 Oct 2012 06:58:09 +0000 (UTC) Cc: 12632@debbugs.gnu.org To: Paul Eggert Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Sun Oct 14 08:58:15 2012 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1TNI9O-0000Jj-3y for geb-bug-gnu-emacs@m.gmane.org; Sun, 14 Oct 2012 08:58:14 +0200 Original-Received: from localhost ([::1]:54059 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1TNI9H-0005oy-GF for geb-bug-gnu-emacs@m.gmane.org; Sun, 14 Oct 2012 02:58:07 -0400 Original-Received: from eggs.gnu.org ([208.118.235.92]:42247) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1TNI9E-0005ot-PK for bug-gnu-emacs@gnu.org; Sun, 14 Oct 2012 02:58:05 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1TNI9D-0006wg-Jw for bug-gnu-emacs@gnu.org; Sun, 14 Oct 2012 02:58:04 -0400 Original-Received: from debbugs.gnu.org ([140.186.70.43]:32909) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1TNI9D-0006wc-Gk for bug-gnu-emacs@gnu.org; Sun, 14 Oct 2012 02:58:03 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.72) (envelope-from ) id 1TNIAA-0001pw-P4 for bug-gnu-emacs@gnu.org; Sun, 14 Oct 2012 02:59:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Eli Zaretskii Original-Sender: debbugs-submit-bounces@debbugs.gnu.org Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sun, 14 Oct 2012 06:59:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 12632 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: patch Original-Received: via spool by 12632-submit@debbugs.gnu.org id=B12632.13501978826979 (code B ref 12632); Sun, 14 Oct 2012 06:59:02 +0000 Original-Received: (at 12632) by debbugs.gnu.org; 14 Oct 2012 06:58:02 +0000 Original-Received: from localhost ([127.0.0.1]:43160 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1TNI9B-0001oQ-QG for submit@debbugs.gnu.org; Sun, 14 Oct 2012 02:58:02 -0400 Original-Received: from mtaout20.012.net.il ([80.179.55.166]:44292) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1TNI98-0001oB-KN for 12632@debbugs.gnu.org; Sun, 14 Oct 2012 02:57:59 -0400 Original-Received: from conversion-daemon.a-mtaout20.012.net.il by a-mtaout20.012.net.il (HyperSendmail v2007.08) id <0MBV00000F9RCV00@a-mtaout20.012.net.il> for 12632@debbugs.gnu.org; Sun, 14 Oct 2012 08:56:52 +0200 (IST) Original-Received: from HOME-C4E4A596F7 ([87.69.4.28]) by a-mtaout20.012.net.il (HyperSendmail v2007.08) with ESMTPA id <0MBV00007FAR3540@a-mtaout20.012.net.il>; Sun, 14 Oct 2012 08:56:51 +0200 (IST) In-reply-to: <507A58CC.10209@cs.ucla.edu> X-012-Sender: halo1@inter.net.il X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.13 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 2) X-Received-From: 140.186.70.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.bugs:65579 Archived-At: > Date: Sat, 13 Oct 2012 23:16:44 -0700 > From: Paul Eggert > CC: 12632@debbugs.gnu.org > > > How will the new code work if 'dir' is nil? > > 'dir' can't be nil there. file-name-directory can return nil, so 'dir' can be nil if the function is called with a name of a non-exiting file that has no leading directories. > > Also, what about lread.c:openp, around line 1555: doesn't it want > > 'euidaccess' as well, rather than 'stat'? > > Sure, we can do that. Done in the revised patch. > [...] > + > + /* Check that we can access or open it. */ > + if (NATNUMP (predicate)) > + fd = (((XFASTINT (predicate) & ~INT_MAX) == 0 > + && euidaccess (pfn, XFASTINT (predicate)) == 0 > + && ! file_directory_p (pfn)) > + ? 1 : -1); > + else This won't compile on Windows, since there's no 'euidaccess' (yet). > if (STRINGP (dirfile)) > { > dirfile = Fdirectory_file_name (dirfile); > - if (access (SSDATA (dirfile), 0) < 0) > + if (euidaccess (SSDATA (dirfile), F_OK) != 0) > dir_warning ("Warning: Lisp directory `%s' does not exist.\n", > XCAR (path_tail)); > } Same here. > > I don't understand why is it a good idea to use 'euidaccess' in > > check_existing. Isn't the fact of the mere existence of a file > > independent of user's access rights? > > No, because you cannot even stat a file that's in a directory that you > can't search. Using 'access' rather than 'euidaccess' might > let a setuid Emacs search directories that it shouldn't be able > to search, or vice versa. But that's not a concern for check_existing, I think. That's a concern for check_writable, file-accessible-directory, etc. IOW, Emacs should be able to test whether a file exists even if it will be unable to access it later. In any case, using 'euidaccess' here subtly changes the semantics of file-exists-p, so if we decide to do that, it should be documented as an incompatible change.