On 26/01/2010 17:04, Henry Jen wrote: >> Ruby seems to prefer to check access rights based on >> effective uid where >> possible and not on the actual uid and some platforms >> provide a system >> call to facilitate this. OpenSolaris doesn't so the >> fallback is to >> perform manual checks using the 'mode' of the >> file/directory. This >> completely ignores any ACLs that may be set on that >> file/directory. The >> access() system call is a standard C-library function >> and on OpenSolaris >> it works with ACLs but as it uses the real uid it's >> only used as a >> fallback if a platform has no way to determine >> effective uid. >> OpenSolaris does, so access() is never used. >> >> > Thanks for the helpful explanation, in this case, I think there is a solution. > > Just checked `man access`, and there is a faccessat() call can use AT_EACCESS > flag to check permission with effective uid/gid. Quoted below, > > The faccessat() function is equivalent to the access() func- > tion, except in the case where path specifies a relative > path. In this case the file whose accessibility is to be > determined is located relative to the directory associated > with the file descriptor fd instead of the current working > directory. > > If faccessat() is passed in the fd parameter the special > value AT_FDCWD, defined in<fcntl.h>, the current working > directory is used and the behavior is identical to a call to > access(). > > Values for flag are constructed by a bitwise-inclusive OR of > flags from the following list, defined in<fcntl.h>: > > AT_EACCESS The checks for accessibility are performed > using the effective user and group IDs instead > of the real user and group ID as required in a > call to access(). >
Ok, I stopped reading that section of the man page when I saw that it referred to the use of relative paths, I should have read on. I'll have a look and see if it can be used to solve this issue, if it can I'll bug it and supply a patch to the upstream community. Depending on the response that gets (and on other things), we could make the change in OpenSolaris Ruby build. Thanks Amanda > > >> Basically for OpenSolaris the whole thing needs a >> rethink. >> >> I'll raise an RFE for it. Did you look at Daniel >> Berger's solaris-file >> ruby extension >> (http://github.com/djberg96/solaris-file)? >> Unfortunately >> it doesn't extend File.readable?, etc, it just adds >> ACL support. >> >> > No, I missed it somehow. Now google search finds it at github, seems to be > added on Jan. 17. Thanks again for the pointer. > > Cheers, > Henry >
