This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/18683] New: Linux faccessat implementation can incorrectly ignore AT_EACCESS
- From: "jld at mozilla dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Wed, 15 Jul 2015 21:11:11 +0000
- Subject: [Bug libc/18683] New: Linux faccessat implementation can incorrectly ignore AT_EACCESS
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=18683
Bug ID: 18683
Summary: Linux faccessat implementation can incorrectly ignore
AT_EACCESS
Product: glibc
Version: unspecified
Status: NEW
Severity: normal
Priority: P2
Component: libc
Assignee: unassigned at sourceware dot org
Reporter: jld at mozilla dot com
CC: drepper.fsp at gmail dot com
Target Milestone: ---
The Linux implementation of faccessat() assumes that if __libc_enable_secure is
0 then the process's real and effective capabilities are equal and it can
ignore AT_EACCESS in order to use the faccessat syscall (instead of, as
documented, imperfectly emulating it with fstatat).
But this isn't quite correct: if the process has CAP_SETUID and/or CAP_SETGID
(e.g., if it's run as root) it can start with equal real/effective capabilities
and change them later.
For example, in a program run as uid 0, assuming "/etc/passwd" is a regular
file with mode 0644 owned by uid 0:
seteuid(-2) => 0
faccessat(AT_FDCWD, "/etc/passwd", W_OK, AT_EACCESS) => 0
open("/etc/passwd", O_WRONLY) => -1
I'm not sure how important this bug is (the usual warnings about
time-of-check/time-of-use issues apply to most use cases for faccessat, and
it's currently impossible to implement faccessat correctly on Linux), but I
thought it should at least be on file for if/when someone else runs into it.
--
You are receiving this mail because:
You are on the CC list for the bug.