# HG changeset patch # User Bruno Haible # Date 1267901374 -3600 # Node ID dc644566d7aba6c6c95d73993a013c41d6e19edc # Parent 1aed01763cecf53d63420b3dd9ebc94f8f9f5b4b Clarify access, euidaccess, faccessat. diff --git a/ChangeLog b/ChangeLog --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,14 @@ +2010-03-06 Bruno Haible + + Clarify access, euidaccess, faccessat. + * doc/posix-functions/faccessat.texi: Mention security problem under + "Other problems", not "Portability problems". + * doc/posix-functions/access.texi: Likewise. Mention a related security + problem. + * doc/glibc-functions/euidaccess.texi: Mention security problems. + * lib/euidaccess.c: Add comments about platforms. + * lib/unistd.in.h (access, euidaccess): Add warnings. + 2010-03-07 Bruno Haible Ensure posix_spawnattr_{get,set}sched{policy,param} are defined. diff --git a/doc/glibc-functions/euidaccess.texi b/doc/glibc-functions/euidaccess.texi --- a/doc/glibc-functions/euidaccess.texi +++ b/doc/glibc-functions/euidaccess.texi @@ -15,3 +15,15 @@ Portability problems not fixed by Gnulib: @itemize @end itemize + +Other problems of this function: +@itemize +@item +There is an inherent race between calling this function and performing +some action based on the results; you should think twice before trusting +this function, especially in a set-uid or set-gid program. +@item +This function does not have an option for not following symbolic links +(like @code{stat} versus @code{lstat}). If you need this option, use +the Gnulib module @code{faccessat} with the @code{AT_EACCESS} flag. +@end itemize diff --git a/doc/posix-functions/access.texi b/doc/posix-functions/access.texi --- a/doc/posix-functions/access.texi +++ b/doc/posix-functions/access.texi @@ -16,8 +16,16 @@ This function uses the effective id instead of the real id on some platforms: Cygwin 1.5.x. +@end itemize + +Other problems of this function: +@itemize @item There is an inherent race between calling this function and performing -some action based on the results; you should think twice before -trusting this function in a set-uid or set-gid program. +some action based on the results; you should think twice before trusting +this function, especially in a set-uid or set-gid program. +@item +This function does not have an option for not following symbolic links +(like @code{stat} versus @code{lstat}). If you need this option, use +the Gnulib module @code{faccessat} with the @code{AT_EACCESS} flag. @end itemize diff --git a/doc/posix-functions/faccessat.texi b/doc/posix-functions/faccessat.texi --- a/doc/posix-functions/faccessat.texi +++ b/doc/posix-functions/faccessat.texi @@ -19,8 +19,12 @@ Portability problems not fixed by Gnulib: @itemize +@end itemize + +Other problems of this function: +@itemize @item There is an inherent race between calling this function and performing -some action based on the results; you should think twice before -trusting this function in a set-uid or set-gid program. +some action based on the results; you should think twice before trusting +this function, especially in a set-uid or set-gid program. @end itemize diff --git a/lib/euidaccess.c b/lib/euidaccess.c --- a/lib/euidaccess.c +++ b/lib/euidaccess.c @@ -78,15 +78,15 @@ int euidaccess (const char *file, int mode) { -#if HAVE_FACCESSAT +#if HAVE_FACCESSAT /* glibc */ return faccessat (AT_FDCWD, file, mode, AT_EACCESS); -#elif defined EFF_ONLY_OK +#elif defined EFF_ONLY_OK /* IRIX, OSF/1, Interix */ return access (file, mode | EFF_ONLY_OK); -#elif defined ACC_SELF +#elif defined ACC_SELF /* AIX */ return accessx (file, mode, ACC_SELF); -#elif HAVE_EACCESS +#elif HAVE_EACCESS /* FreeBSD */ return eaccess (file, mode); -#else +#else /* MacOS X, NetBSD, OpenBSD, HP-UX, Solaris, Cygwin, mingw, BeOS */ uid_t uid = getuid (); gid_t gid = getgid (); diff --git a/lib/unistd.in.h b/lib/unistd.in.h --- a/lib/unistd.in.h +++ b/lib/unistd.in.h @@ -146,6 +146,13 @@ #endif +#if defined GNULIB_POSIXCHECK +/* The access() function is a security risk. */ +_GL_WARN_ON_USE (access, "the access function is a security risk - " + "use the gnulib module faccessat instead"); +#endif + + #if @GNULIB_CHOWN@ # if @REPLACE_CHOWN@ # undef chown @@ -269,6 +276,11 @@ the current process. */ extern int euidaccess (const char *filename, int mode) _GL_ARG_NONNULL ((1)); # endif +# if defined GNULIB_POSIXCHECK +/* Like access(), this function is a security risk. */ +_GL_WARN_ON_USE (euidaccess, "the euidaccess function is a security risk - " + "use the gnulib module faccessat instead"); +# endif #elif defined GNULIB_POSIXCHECK # undef euidaccess # if HAVE_RAW_DECL_EUIDACCESS