From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 89368 invoked by alias); 15 Jul 2015 21:11:15 -0000 Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Post: List-Help: , Sender: glibc-bugs-owner@sourceware.org Received: (qmail 89329 invoked by uid 48); 15 Jul 2015 21:11:12 -0000 From: "jld at mozilla dot com" To: glibc-bugs@sourceware.org Subject: [Bug libc/18683] New: Linux faccessat implementation can incorrectly ignore AT_EACCESS Date: Wed, 15 Jul 2015 21:11:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: libc X-Bugzilla-Version: unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: jld at mozilla dot com X-Bugzilla-Status: NEW X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter cc target_milestone Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2015-07/txt/msg00118.txt.bz2 https://sourceware.org/bugzilla/show_bug.cgi?id=18683 Bug ID: 18683 Summary: Linux faccessat implementation can incorrectly ignore AT_EACCESS Product: glibc Version: unspecified Status: NEW Severity: normal Priority: P2 Component: libc Assignee: unassigned at sourceware dot org Reporter: jld at mozilla dot com CC: drepper.fsp at gmail dot com Target Milestone: --- The Linux implementation of faccessat() assumes that if __libc_enable_secure is 0 then the process's real and effective capabilities are equal and it can ignore AT_EACCESS in order to use the faccessat syscall (instead of, as documented, imperfectly emulating it with fstatat). But this isn't quite correct: if the process has CAP_SETUID and/or CAP_SETGID (e.g., if it's run as root) it can start with equal real/effective capabilities and change them later. For example, in a program run as uid 0, assuming "/etc/passwd" is a regular file with mode 0644 owned by uid 0: seteuid(-2) => 0 faccessat(AT_FDCWD, "/etc/passwd", W_OK, AT_EACCESS) => 0 open("/etc/passwd", O_WRONLY) => -1 I'm not sure how important this bug is (the usual warnings about time-of-check/time-of-use issues apply to most use cases for faccessat, and it's currently impossible to implement faccessat correctly on Linux), but I thought it should at least be on file for if/when someone else runs into it. -- You are receiving this mail because: You are on the CC list for the bug.