[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
coreutils euidaccess cleanup (affects only setuid use)
From: |
Paul Eggert |
Subject: |
coreutils euidaccess cleanup (affects only setuid use) |
Date: |
Sun, 25 Jul 2004 00:51:35 -0700 |
User-agent: |
Gnus/5.1006 (Gnus v5.10.6) Emacs/21.3 (gnu/linux) |
I installed this patch to clean up some problems with coreutils when
it is running setuid. The fixes to euidaccess.c itself need to get
propagated to glibc at some point.
2004-07-25 Paul Eggert <address@hidden>
* lib/euidaccess.c [!defined LIBC]: Included group-member.h,
stat-macros.h.
(S_IXUSR, S_IXGRP, S_IXOTH, S_IROTH, S_IWOTH, S_IXOTH):
Remove; now done by stat-macros.h.
(NGROUPS_MAX, group_member): Remove; now down by group-member.h.
No need to include <limits.h>.
(errno): Remove decl; we now assume C89 or better.
(access, getuid, getgid, geteuid, getegid, stat) [defined _LIBC]:
New macros.
(uid, gid, have_ids): Remove these static variables.
They weren't accurate for programs that also invoked setreuid etc.
(euidaccess) [defined EFF_ONLY_OK || defined ACC_SELF ||
HAVE_DECL_EACCSS]: Use builtin substitutes.
[defined _LIBC]: Ignore __libc_enable_secure; it's not a
correct optimization for programs run as root that later
invoke setreuid.
[no builtin substitutes && HAVE_DECL_SETREGID &&
PREFER_NONREENTRANT_EUIDACCESS]:
Use setreuid+setregid to get the correct answer.
[no builtin substitutes && ! (HAVE_DECL_SETREGID &&
PREFER_NONREENTRANT_EUIDACCESS)]:
Don't assume that the stat macros have their historical values,
as POSIX doesn't require this.
[defined TEST]: Include <stdlib.h>; don't include errno.h
twice; include <error.h> rather than "error.h".
* m4/euidaccess.m4 (gl_FUNC_NONREENTRANT_EUIDACCESS): New macro.
(gl_FUNC_EUIDACCESS): Use AC_CHECK_DECLS_ONCE, not AC_CHECK_DECLS.
(gl_PREREQ_EUIDACCESS): Check for eaccess and setregid decls.
Require AC_HEADER_STAT.
* m4/prereq.m4 (gl_PREREQ): Invoke gl_FUNC_NONREENTRANT_EUIDACCESS,
not gl_FUNC_EUIDACCESS.
* src/pathchk.c: Include euidaccess.h.
(dir_ok): Use euidaccess, not access.
* src/test.c (R_OK, W_OK, X_OK, FOK): Remove; system.h defines them.
(eaccess): Remove. All users changed to use euidaccess instead.
Index: lib/euidaccess.c
===================================================================
RCS file: /home/eggert/coreutils/cu/lib/euidaccess.c,v
retrieving revision 1.16
diff -p -u -r1.16 euidaccess.c
--- lib/euidaccess.c 30 Jun 2004 22:39:13 -0000 1.16
+++ lib/euidaccess.c 25 Jul 2004 07:01:31 -0000
@@ -33,49 +33,23 @@
#include <sys/types.h>
#include <sys/stat.h>
-#ifdef S_IEXEC
-# ifndef S_IXUSR
-# define S_IXUSR S_IEXEC
-# endif
-# ifndef S_IXGRP
-# define S_IXGRP (S_IEXEC >> 3)
-# endif
-# ifndef S_IXOTH
-# define S_IXOTH (S_IEXEC >> 6)
-# endif
-#endif /* S_IEXEC */
-
-#if defined (HAVE_UNISTD_H) || defined (_LIBC)
+#if HAVE_UNISTD_H || defined _LIBC
# include <unistd.h>
#endif
-#ifdef _POSIX_VERSION
-# include <limits.h>
-# if !defined(NGROUPS_MAX) || NGROUPS_MAX < 1
-# undef NGROUPS_MAX
-# define NGROUPS_MAX sysconf (_SC_NGROUPS_MAX)
-# endif /* NGROUPS_MAX */
-
-#else /* not _POSIX_VERSION */
+#ifndef _POSIX_VERSION
uid_t getuid ();
gid_t getgid ();
uid_t geteuid ();
gid_t getegid ();
-# include <sys/param.h>
-# if !defined(NGROUPS_MAX) && defined(NGROUPS)
-# define NGROUPS_MAX NGROUPS
-# endif /* not NGROUPS_MAX and NGROUPS */
-#endif /* not POSIX_VERSION */
+#endif
#include <errno.h>
-#ifndef errno
-extern int errno;
-#endif
#ifndef __set_errno
# define __set_errno(val) errno = (val)
#endif
-#if defined(EACCES) && !defined(EACCESS)
+#if defined EACCES && !defined EACCESS
# define EACCESS EACCES
#endif
@@ -86,117 +60,142 @@ extern int errno;
# define R_OK 4
#endif
-#if !defined (S_IROTH) && defined (R_OK)
-# define S_IROTH R_OK
-#endif
-
-#if !defined (S_IWOTH) && defined (W_OK)
-# define S_IWOTH W_OK
-#endif
-
-#if !defined (S_IXOTH) && defined (X_OK)
-# define S_IXOTH X_OK
-#endif
#ifdef _LIBC
+# define access __access
+# define getuid __getuid
+# define getgid __getgid
+# define geteuid __geteuid
+# define getegid __getegid
# define group_member __group_member
# define euidaccess __euidaccess
+# undef stat
+# define stat stat64
#else
-/* The user's real user id. */
-static uid_t uid;
-
-/* The user's real group id. */
-static gid_t gid;
-
-# if HAVE_GETGROUPS
-int group_member ();
-# else
-# define group_member(gid) 0
-# endif
+# include "group-member.h"
+# include "stat-macros.h"
#endif
-/* The user's effective user id. */
-static uid_t euid;
-
-/* The user's effective group id. */
-static gid_t egid;
-
-/* Nonzero if UID, GID, EUID, and EGID have valid values. */
-static int have_ids;
-
-
/* Return 0 if the user has permission of type MODE on file PATH;
- otherwise, return -1 and set `errno' to EACCESS.
+ otherwise, return -1 and set `errno'.
Like access, except that it uses the effective user and group
- id's instead of the real ones, and it does not check for read-only
- file system, text busy, etc. */
+ id's instead of the real ones, and it does not always check for read-only
+ file system, text busy, etc. */
int
euidaccess (const char *path, int mode)
{
+#if defined EFF_ONLY_OK
+ return access (path, mode | EFF_ONLY_OK);
+#elif defined ACC_SELF
+ return accessx (path, mode, ACC_SELF);
+#elif HAVE_DECL_EACCESS
+ return eaccess (path, mode);
+#else
+
+ uid_t uid = getuid ();
+ gid_t gid = getgid ();
+ uid_t euid = geteuid ();
+ gid_t egid = getegid ();
struct stat stats;
- int granted;
-#ifdef _LIBC
- if (! __libc_enable_secure)
- /* If we are not set-uid or set-gid, access does the same. */
- return __access (path, mode);
-#else
- if (have_ids == 0)
+# if HAVE_DECL_SETREGID && PREFER_NONREENTRANT_EUIDACCESS
+
+ /* Define PREFER_NONREENTRANT_EUIDACCESS if you prefer euidaccess to
+ return the correct result even if this would make it
+ nonreentrant. Define this only if your entire application is
+ safe even if the uid or gid might temporarily change. If your
+ application uses signal handlers or threads it is probably not
+ safe. */
+
+ if (mode == F_OK)
+ return stat (path, &stats);
+ else
{
- have_ids = 1;
- uid = getuid ();
- gid = getgid ();
- euid = geteuid ();
- egid = getegid ();
+ int result;
+ int saved_errno;
+
+ if (uid != euid)
+ setreuid (euid, uid);
+ if (gid != egid)
+ setregid (egid, gid);
+
+ result = access (path, mode);
+ saved_errno = errno;
+
+ /* Restore them. */
+ if (uid != euid)
+ setreuid (uid, euid);
+ if (gid != egid)
+ setregid (gid, egid);
+
+ errno = saved_errno;
+ return result;
}
+# else
+
+ /* The following code assumes the traditional Unix model, and is not
+ correct on systems that have ACLs or the like. However, it's
+ better than nothing, and it is reentrant. */
+
+ unsigned int granted;
if (uid == euid && gid == egid)
/* If we are not set-uid or set-gid, access does the same. */
return access (path, mode);
-#endif
if (stat (path, &stats))
return -1;
- mode &= (X_OK | W_OK | R_OK); /* Clear any bogus bits. */
-#if R_OK != S_IROTH || W_OK != S_IWOTH || X_OK != S_IXOTH
- ?error Oops, portability assumptions incorrect.
-#endif
-
- if (mode == F_OK)
- return 0; /* The file exists. */
-
-#ifdef _LIBC
- /* Now we need the IDs. */
- if (have_ids == 0)
- {
- have_ids = 1;
- euid = __geteuid ();
- egid = __getegid ();
- }
-#endif
-
/* The super-user can read and write any file, and execute any file
- that anyone can execute. */
+ that anyone can execute. */
if (euid == 0 && ((mode & X_OK) == 0
|| (stats.st_mode & (S_IXUSR | S_IXGRP | S_IXOTH))))
return 0;
+ /* Convert the mode to traditional form, clearing any bogus bits. */
+ if (R_OK == 4 && W_OK == 2 && X_OK == 1 && F_OK == 0)
+ mode &= 7;
+ else
+ mode = ((mode & R_OK ? 4 : 0)
+ + (mode & W_OK ? 2 : 0)
+ + (mode & X_OK ? 1 : 0));
+
+ if (mode == 0)
+ return 0; /* The file exists. */
+
+ /* Convert the file's permission bits to traditional form. */
+ if (S_IRUSR == (4 << 6) && S_IWUSR == (2 << 6) && S_IXUSR == (1 << 6)
+ && S_IRGRP == (4 << 3) && S_IWGRP == (2 << 3) && S_IXGRP == (1 << 3)
+ && S_IROTH == (4 << 0) && S_IWOTH == (2 << 0) && S_IXOTH == (1 << 0))
+ granted = stats.st_mode;
+ else
+ granted = ((stats.st_mode & S_IRUSR ? 4 << 6 : 0)
+ + (stats.st_mode & S_IWUSR ? 2 << 6 : 0)
+ + (stats.st_mode & S_IXUSR ? 1 << 6 : 0)
+ + (stats.st_mode & S_IRGRP ? 4 << 3 : 0)
+ + (stats.st_mode & S_IWGRP ? 2 << 3 : 0)
+ + (stats.st_mode & S_IXGRP ? 1 << 3 : 0)
+ + (stats.st_mode & S_IROTH ? 4 << 0 : 0)
+ + (stats.st_mode & S_IWOTH ? 2 << 0 : 0)
+ + (stats.st_mode & S_IXOTH ? 1 << 0 : 0));
+
if (euid == stats.st_uid)
- granted = (unsigned) (stats.st_mode & (mode << 6)) >> 6;
+ granted >>= 6;
else if (egid == stats.st_gid || group_member (stats.st_gid))
- granted = (unsigned) (stats.st_mode & (mode << 3)) >> 3;
- else
- granted = (stats.st_mode & mode);
- if (granted == mode)
+ granted >>= 3;
+
+ if ((mode & ~granted) == 0)
return 0;
__set_errno (EACCESS);
return -1;
+
+# endif
+#endif
}
#undef euidaccess
#ifdef weak_alias
@@ -204,9 +203,9 @@ weak_alias (__euidaccess, euidaccess)
#endif
#ifdef TEST
+# include <error.h>
# include <stdio.h>
-# include <errno.h>
-# include "error.h"
+# include <stdlib.h>
char *program_name;
Index: m4/euidaccess.m4
===================================================================
RCS file: /home/eggert/coreutils/cu/m4/euidaccess.m4,v
retrieving revision 1.1
diff -p -u -r1.1 euidaccess.m4
--- m4/euidaccess.m4 17 Aug 2003 17:58:01 -0000 1.1
+++ m4/euidaccess.m4 25 Jul 2004 07:01:40 -0000
@@ -1,17 +1,28 @@
-# euidaccess.m4 serial 2
-dnl Copyright (C) 2002, 2003 Free Software Foundation, Inc.
+# euidaccess.m4 serial 3
+dnl Copyright (C) 2002, 2003, 2004 Free Software Foundation, Inc.
dnl This file is free software, distributed under the terms of the GNU
dnl General Public License. As a special exception to the GNU General
dnl Public License, this file may be distributed as part of a program
dnl that contains a configuration script generated by Autoconf, under
dnl the same distribution terms as the rest of that program.
+AC_DEFUN([gl_FUNC_NONREENTRANT_EUIDACCESS],
+[
+ AC_REQUIRE([gl_FUNC_EUIDACCESS])
+ AC_DEFINE([PREFER_NONREENTRANT_EUIDACCESS], 1,
+ [Define this if you prefer euidaccess to return the correct result
+ even if this would make it nonreentrant. Define this only if your
+ entire application is safe even if the uid or gid might temporarily
+ change. If your application uses signal handlers or threads it
+ is probably not safe.])
+])
+
AC_DEFUN([gl_FUNC_EUIDACCESS],
[
dnl Persuade glibc <unistd.h> to declare euidaccess().
AC_REQUIRE([AC_GNU_SOURCE])
- AC_CHECK_DECLS([euidaccess])
+ AC_CHECK_DECLS_ONCE([euidaccess])
AC_REPLACE_FUNCS(euidaccess)
if test $ac_cv_func_euidaccess = no; then
gl_PREREQ_EUIDACCESS
@@ -21,6 +32,8 @@ AC_DEFUN([gl_FUNC_EUIDACCESS],
# Prerequisites of lib/euidaccess.c.
AC_DEFUN([gl_PREREQ_EUIDACCESS], [
AC_CHECK_HEADERS_ONCE(unistd.h)
+ AC_CHECK_DECLS_ONCE(eaccess setregid)
AC_REQUIRE([AC_FUNC_GETGROUPS])
+ AC_REQUIRE([AC_HEADER_STAT])
])
Index: m4/prereq.m4
===================================================================
RCS file: /home/eggert/coreutils/cu/m4/prereq.m4,v
retrieving revision 1.92
diff -p -u -r1.92 prereq.m4
--- m4/prereq.m4 23 Jul 2004 22:35:07 -0000 1.92
+++ m4/prereq.m4 25 Jul 2004 07:20:40 -0000
@@ -1,4 +1,4 @@
-#serial 42
+#serial 43
dnl We use gl_ for non Autoconf macros.
m4_pattern_forbid([^gl_[ABCDEFGHIJKLMNOPQRSTUVXYZ]])dnl
@@ -33,7 +33,6 @@ AC_DEFUN([gl_PREREQ],
AC_REQUIRE([gl_FUNC_ALLOCA])
AC_REQUIRE([gl_FUNC_ATEXIT])
AC_REQUIRE([gl_FUNC_DUP2])
- AC_REQUIRE([gl_FUNC_EUIDACCESS])
AC_REQUIRE([gl_FUNC_FNMATCH_GNU])
AC_REQUIRE([gl_FUNC_GETHOSTNAME])
AC_REQUIRE([AC_FUNC_GETLOADAVG])
@@ -45,6 +44,7 @@ AC_DEFUN([gl_PREREQ],
AC_REQUIRE([gl_FUNC_MEMRCHR])
AC_REQUIRE([gl_FUNC_MEMSET])
AC_REQUIRE([gl_FUNC_MKTIME])
+ AC_REQUIRE([gl_FUNC_NONREENTRANT_EUIDACCESS])
AC_REQUIRE([gl_FUNC_READLINK])
AC_REQUIRE([gl_FUNC_RMDIR])
AC_REQUIRE([gl_FUNC_RPMATCH])
Index: src/pathchk.c
===================================================================
RCS file: /home/eggert/coreutils/cu/src/pathchk.c,v
retrieving revision 1.78
diff -p -u -r1.78 pathchk.c
--- src/pathchk.c 30 Jun 2004 22:33:40 -0000 1.78
+++ src/pathchk.c 25 Jul 2004 07:03:19 -0000
@@ -45,6 +45,7 @@
#include "system.h"
#include "error.h"
+#include "euidaccess.h"
#include "long-options.h"
/* The official name of this program (e.g., no `g' prefix). */
@@ -255,9 +256,8 @@ dir_ok (const char *path)
/* Use access to test for search permission because
testing permission bits of st_mode can lose with new
- access control mechanisms. Of course, access loses if you're
- running setuid. */
- if (access (path, X_OK) != 0)
+ access control mechanisms. */
+ if (euidaccess (path, X_OK) != 0)
{
if (errno == EACCES)
error (0, 0, _("directory `%s' is not searchable"), path);
Index: src/test.c
===================================================================
RCS file: /home/eggert/coreutils/cu/src/test.c,v
retrieving revision 1.102
diff -p -u -r1.102 test.c
--- src/test.c 22 Jun 2004 14:55:30 -0000 1.102
+++ src/test.c 25 Jul 2004 07:04:55 -0000
@@ -61,13 +61,6 @@ char *program_name;
extern gid_t getegid ();
extern uid_t geteuid ();
-#if !defined (R_OK)
-# define R_OK 4
-# define W_OK 2
-# define X_OK 1
-# define F_OK 0
-#endif /* R_OK */
-
/* The following few defines control the truth and false output of each stage.
TRUE and FALSE are what we use to compute the final output value.
SHELL_BOOLEAN is the form which returns truth or falseness in shell terms.
@@ -122,46 +115,6 @@ test_syntax_error (char const *format, c
test_exit (TEST_FAILURE);
}
-#if HAVE_SETREUID && HAVE_SETREGID
-/* Do the same thing access(2) does, but use the effective uid and gid. */
-
-static int
-eaccess (char const *file, int mode)
-{
- static int have_ids;
- static uid_t uid, euid;
- static gid_t gid, egid;
- int result;
-
- if (have_ids == 0)
- {
- have_ids = 1;
- uid = getuid ();
- gid = getgid ();
- euid = geteuid ();
- egid = getegid ();
- }
-
- /* Set the real user and group IDs to the effective ones. */
- if (uid != euid)
- setreuid (euid, uid);
- if (gid != egid)
- setregid (egid, gid);
-
- result = access (file, mode);
-
- /* Restore them. */
- if (uid != euid)
- setreuid (uid, euid);
- if (gid != egid)
- setregid (gid, egid);
-
- return result;
-}
-#else
-# define eaccess(F, M) euidaccess (F, M)
-#endif
-
/* Increment our position in the argument list. Check that we're not
past the end of the argument list. This check is supressed if the
argument is FALSE. Made a macro for efficiency. */
@@ -624,17 +577,17 @@ unary_operator (void)
case 'r': /* file is readable? */
unary_advance ();
- value = -1 != eaccess (argv[pos - 1], R_OK);
+ value = -1 != euidaccess (argv[pos - 1], R_OK);
return (TRUE == value);
case 'w': /* File is writable? */
unary_advance ();
- value = -1 != eaccess (argv[pos - 1], W_OK);
+ value = -1 != euidaccess (argv[pos - 1], W_OK);
return (TRUE == value);
case 'x': /* File is executable? */
unary_advance ();
- value = -1 != eaccess (argv[pos - 1], X_OK);
+ value = -1 != euidaccess (argv[pos - 1], X_OK);
return (TRUE == value);
case 'O': /* File is owned by you? */
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- coreutils euidaccess cleanup (affects only setuid use),
Paul Eggert <=