From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: ludo@gnu.org (Ludovic =?iso-8859-1?Q?Court=E8s?=)
Newsgroups: gmane.lisp.guile.user
Subject: Re: Why do the compiler checks .go directory is writeable?
Date: Mon, 03 Sep 2012 22:16:40 +0200
Message-ID: <87d322q2tz.fsf@gnu.org>
References: <20120619144620.GA970@securactive.lan>
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="=-=-="
X-Trace: ger.gmane.org 1346798405 16423 80.91.229.3 (4 Sep 2012 22:40:05 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Tue, 4 Sep 2012 22:40:05 +0000 (UTC)
To: guile-user@gnu.org
Original-X-From: guile-user-bounces+guile-user=m.gmane.org@gnu.org Wed Sep 05 00:40:07 2012
Return-path: <guile-user-bounces+guile-user=m.gmane.org@gnu.org>
Envelope-to: guile-user@m.gmane.org
Original-Received: from lists.gnu.org ([208.118.235.17])
	by plane.gmane.org with esmtp (Exim 4.69)
	(envelope-from <guile-user-bounces+guile-user=m.gmane.org@gnu.org>)
	id 1T91mw-0006s2-Nd
	for guile-user@m.gmane.org; Wed, 05 Sep 2012 00:40:06 +0200
Original-Received: from localhost ([::1]:39582 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <guile-user-bounces+guile-user=m.gmane.org@gnu.org>)
	id 1T915j-0002Ws-4f
	for guile-user@m.gmane.org; Tue, 04 Sep 2012 17:55:27 -0400
Original-Received: from eggs.gnu.org ([208.118.235.92]:39299)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <guile-user@m.gmane.org>) id 1T8d4v-0007uG-GM
	for guile-user@gnu.org; Mon, 03 Sep 2012 16:17:02 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <guile-user@m.gmane.org>) id 1T8d4u-0005rK-As
	for guile-user@gnu.org; Mon, 03 Sep 2012 16:17:01 -0400
Original-Received: from plane.gmane.org ([80.91.229.3]:34454)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <guile-user@m.gmane.org>) id 1T8d4t-0005rC-WB
	for guile-user@gnu.org; Mon, 03 Sep 2012 16:17:00 -0400
Original-Received: from list by plane.gmane.org with local (Exim 4.69)
	(envelope-from <guile-user@m.gmane.org>) id 1T8d4r-0003ur-Il
	for guile-user@gnu.org; Mon, 03 Sep 2012 22:16:57 +0200
Original-Received: from reverse-83.fdn.fr ([80.67.176.83])
	by main.gmane.org with esmtp (Gmexim 0.1 (Debian))
	id 1AlnuQ-0007hv-00
	for <guile-user@gnu.org>; Mon, 03 Sep 2012 22:16:57 +0200
Original-Received: from ludo by reverse-83.fdn.fr with local (Gmexim 0.1 (Debian))
	id 1AlnuQ-0007hv-00
	for <guile-user@gnu.org>; Mon, 03 Sep 2012 22:16:57 +0200
X-Injected-Via-Gmane: http://gmane.org/
Original-Lines: 104
Original-X-Complaints-To: usenet@ger.gmane.org
X-Gmane-NNTP-Posting-Host: reverse-83.fdn.fr
X-URL: http://www.fdn.fr/~lcourtes/
X-Revolutionary-Date: 18 Fructidor an 220 de la =?iso-8859-1?Q?R=E9volutio?=
	=?iso-8859-1?Q?n?=
X-PGP-Key-ID: 0xEA52ECF4
X-PGP-Key: http://www.fdn.fr/~lcourtes/ludovic.asc
X-PGP-Fingerprint: 83C4 F8E5 10A3 3B4C 5BEA  D15D 77DD 95E2 EA52 ECF4
X-OS: x86_64-unknown-linux-gnu
User-Agent: Gnus/5.130005 (Ma Gnus v0.5) Emacs/24.2 (gnu/linux)
Cancel-Lock: sha1:3wxmXMUilXOVVIO758oyaSFHqFs=
X-detected-operating-system: by eggs.gnu.org: Genre and OS details not
	recognized.
X-Received-From: 80.91.229.3
X-Mailman-Approved-At: Tue, 04 Sep 2012 17:55:23 -0400
X-BeenThere: guile-user@gnu.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: General Guile related discussions <guile-user.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guile-user>,
	<mailto:guile-user-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guile-user>
List-Post: <mailto:guile-user@gnu.org>
List-Help: <mailto:guile-user-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guile-user>,
	<mailto:guile-user-request@gnu.org?subject=subscribe>
Errors-To: guile-user-bounces+guile-user=m.gmane.org@gnu.org
Original-Sender: guile-user-bounces+guile-user=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.lisp.guile.user:9573
Archived-At: <http://permalink.gmane.org/gmane.lisp.guile.user/9573>

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit

Hi,

Sorry for the delay!

rixed@happyleptic.org skribis:

> I'm refering to the ensure-writable-dir function.
> I've stumbled upon this problem recently : I have a program that's suid root
> but calls guile. The guile compiler then creates some directories in
> .cache/guile but then check (with access()) that he can write in there, which
> he can't since access revoke the effective uid for the caller uid. We thus have
> this situation: the compiler creates a bunch of directories then complains he
> cannot write in them.
>
> It's not obvious to me why the compiler should ensure a directory is writable
> just to throw an error. Wouldn't it be better to just call opens and writes
> and let these fails and report these more acurate errors instead (or, in my
> case, let them succeed) ?

Agreed, not to mention time-of-check-to-time-of-use-errors.

We basically want ‘mkdir -p’, but we can even omit the stat(2) call upon
EEXIST, because if DIR doesn’t point to a directory, the error will be
caught soon after anyway.

I’ll install the following patch if there’s no objection:


--=-=-=
Content-Type: text/x-patch
Content-Disposition: inline

diff --git a/module/system/base/compile.scm b/module/system/base/compile.scm
index 0bc11a3..afcb55a 100644
--- a/module/system/base/compile.scm
+++ b/module/system/base/compile.scm
@@ -1,6 +1,6 @@
 ;;; High-level compiler interface
 
-;; Copyright (C) 2001, 2009, 2010, 2011 Free Software Foundation, Inc.
+;; Copyright (C) 2001, 2009, 2010, 2011, 2012 Free Software Foundation, Inc.
 
 ;;; This library is free software; you can redistribute it and/or
 ;;; modify it under the terms of the GNU Lesser General Public
@@ -72,7 +72,7 @@
 ;; before the check, so that we avoid races (possibly due to parallel
 ;; compilation).
 ;;
-(define (ensure-writable-dir dir)
+(define (ensure-directory dir)
   (catch 'system-error
     (lambda ()
       (mkdir dir))
@@ -80,13 +80,12 @@
       (let ((errno (and (pair? rest) (car rest))))
         (cond
          ((eqv? errno EEXIST)
-          (let ((st (stat dir)))
-            (if (or (not (eq? (stat:type st) 'directory))
-                    (not (access? dir W_OK)))
-                (error "directory not writable" dir))))
+          ;; Assume it's a writable directory, to avoid TOCTOU errors,
+          ;; as well as UID/EUID mismatches that occur with access(2).
+          #t)
          ((eqv? errno ENOENT)
-          (ensure-writable-dir (dirname dir))
-          (ensure-writable-dir dir))
+          (ensure-directory (dirname dir))
+          (ensure-directory dir))
          (else
           (throw k subr fmt args rest)))))))
 
@@ -125,7 +124,7 @@
                  %compile-fallback-path
                  (canonical->suffix (canonicalize-path file))
                  (compiled-extension))))
-         (and (false-if-exception (ensure-writable-dir (dirname f)))
+         (and (false-if-exception (ensure-directory (dirname f)))
               f))))
 
 (define* (compile-file file #:key
@@ -144,7 +143,7 @@
       ;; Choose the input encoding deterministically.
       (set-port-encoding! in (or enc "UTF-8"))
 
-      (ensure-writable-dir (dirname comp))
+      (ensure-directory (dirname comp))
       (call-with-output-file/atomic comp
         (lambda (port)
           ((language-printer (ensure-language to))

--=-=-=
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit


Thanks,
Ludo’.

--=-=-=--