On Tue, Sep 27, 2011 at 06:19:06PM -0500, Jonathan Nieder wrote: > POSIX.1-2008 ยง4.4 "File Access Permission" sayeth: > > If execute permission is requested, access shall be granted > if execute permission is granted to at least one user by the > file permission bits or by an alternate access control > mechanism; otherwise, access shall be denied. > > For historical reasons, POSIX unfortunately also allows access() and > faccessat() to return success for X_OK if the current process is > privileged, even when the above condition is not fulfilled and actual > execution would fail. On the affected platforms, "test -x <path>" as > root started returning true on nonexecutable files when dash switched > from its own emulation to the true faccessat in v0.5.7~54 > (2010-04-02). > > Work around this by checking the permissions bits when mode == X_OK > and geteuid() == 0 on such platforms. > > Unfortunately the behavior seems to vary from one kernel version to > another, so we cannot just check the behavior at compile time and rely > on that. A survey of some affected kernels: > > - NetBSD's kernel moved to the sane semantics in 1997 > - OpenBSD's kernel made the same change in version 4.4, three years > ago > - FreeBSD 9's kernel fixes this but hasn't been released yet > > It seems safe to only apply the workaround on systems using the > FreeBSD kernel for now, and to push for standardization on the > expected access()/faccessat() semantics so we can drop the workaround > altogether in a few years. > > To try it on other platforms, use "./configure --enable-test-workaround". > > Reported-by: Christoph Egger <[email protected]> > Analysis-by: Petr Salinger <[email protected]> > Signed-off-by: Jonathan Nieder <[email protected]>
This patch seems to have slipped through the cracks. Nevertheless it is now applied. Thanks, -- Email: Herbert Xu <[email protected]> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt -- To unsubscribe from this list: send the line "unsubscribe dash" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html
