On Mon, 29 Jul 2019 18:46:25 -0700 Michael Forney <[email protected]> wrote:
> On 2019-07-27, Mattias Andrée <[email protected]> wrote: > > A file is executable only if the effective user > > have permission to execute it. The real user's > > permissions do not matter. > > Thanks for the patch, but doesn't this only make a difference if the > `which` binary itself is setuid? If not, can you provide an example > that is fixed by this patch? > > I looked at a few other implementations and they just use access(3), > which behaves like faccessat(3) with no flags. > setuid is inherited (exec(3) never changes the effective user according to POSIX unless the new process have the setuid flag and it is not blocked by the ST_NOSUID mount option). However, I cannot think of a real world scenario where this would matter; it would be if the user have a program similar to sudo that only changes the effective user.
