[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Support for file ACL -- Access Control Lists [Patch included]
From: |
werner |
Subject: |
Support for file ACL -- Access Control Lists [Patch included] |
Date: |
Thu, 4 Jun 2009 14:39:41 +0200 |
Configuration Information [Automatically generated, do not change]:
Machine: i586
OS: linux-gnu
Compiler: gcc -I/usr/src/packages/BUILD/bash-4.0
-L/usr/src/packages/BUILD/bash-4.0/../readline-6.0
Compilation CFLAGS: -DPROGRAM='bash' -DCONF_HOSTTYPE='i586'
-DCONF_OSTYPE='linux-gnu' -DCONF_MACHTYPE='i586-suse-linux-gnu'
-DCONF_VENDOR='suse' -DLOCALEDIR='/usr/share/locale' -DPACKAGE='bash' -DSHELL
-DHAVE_CONFIG_H -I. -I. -I./include -I./lib -O2 -march=i586 -mtune=i686
-fmessage-length=0 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables
-fasynchronous-unwind-tables -g -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64
-D_GNU_SOURCE -DRECYCLES_PIDS -Wall -g -std=gnu89 -Wextra
-Wno-unprototyped-calls -Wno-switch-enum -Wno-unused-variable
-Wno-unused-parameter -ftree-loop-linear -pipe -fprofile-use
uname output: Linux boole 2.6.27.19-3.2-pae #1 SMP 2009-02-25 15:40:44 +0100
i686 i686 i386 GNU/Linux
Machine Type: i586-suse-linux-gnu
Bash Version: 4.0
Patch Level: 24
Release Status: release
Description:
If the user has access to a script through an ACL but not through
the file mode permission bits, bash will refuse to source the script
unless the full path is given. Using eaccess(3) from glibc solves
the problem and also works with standard mode permission bits.
Repeat-By:
Use chmod(1) and setfacl(1) to make a script only available through
ACL file attributes.
Fix:
--- findcmd.c
+++ findcmd.c 2009-06-04 12:03:16.094615177 +0200
@@ -93,7 +93,22 @@ file_status (name)
r = FS_EXISTS;
-#if defined (AFS)
+#if defined (HAVE_EACCESS) /* FreeBSD, GLIBC_2.4+ */
+
+ /* For support of ACL's use eaccess(3) if found e.g. glibc 2.4 and up:
+ * Like access(2), euidaccess(3) checks permissions and existence of the
+ * file identified by its argument pathname. However, whereas access(2),
+ * performs checks using the real user and group identifiers of the pro-
+ * cess, euidaccess(3) uses the effective identifiers.
+ * eaccess(3) is a synonym for euidaccess(3), provided for compatibility
+ * with some other systems. */
+ if (eaccess (name, X_OK) == 0)
+ r |= FS_EXECABLE;
+ if (eaccess (name, R_OK) == 0)
+ r |= FS_READABLE;
+
+#elif defined (AFS)
+
/* We have to use access(2) to determine access because AFS does not
support Unix file system semantics. This may produce wrong
answers for non-AFS files when ruid != euid. I hate AFS. */
@@ -102,8 +117,7 @@ file_status (name)
if (access (name, R_OK) == 0)
r |= FS_READABLE;
- return r;
-#else /* !AFS */
+#else /* !AFS && !HAVE_EACCESS */
/* Find out if the file is actually executable. By definition, the
only other criteria is that the file has an execute bit set that
@@ -146,8 +160,8 @@ file_status (name)
r |= FS_READABLE;
}
+#endif /* !AFS && !HAVE_EACCESS */
return r;
-#endif /* !AFS */
}
/* Return non-zero if FILE exists and is executable.
--- lib/sh/eaccess.c
+++ lib/sh/eaccess.c 2009-06-04 11:59:33.165901707 +0200
@@ -201,7 +201,7 @@ sh_eaccess (path, mode)
if (path_is_devfd (path))
return (sh_stataccess (path, mode));
-#if defined (HAVE_EACCESS) /* FreeBSD */
+#if defined (HAVE_EACCESS) /* FreeBSD, GLIBC_2.4+ */
return (eaccess (path, mode));
#elif defined (EFF_ONLY_OK) /* SVR4(?), SVR4.2 */
return access (path, mode|EFF_ONLY_OK);
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- Support for file ACL -- Access Control Lists [Patch included],
werner <=