+2010-03-06 Bruno Haible <bruno@clisp.org>
+
+ Clarify access, euidaccess, faccessat.
+ * doc/posix-functions/faccessat.texi: Mention security problem under
+ "Other problems", not "Portability problems".
+ * doc/posix-functions/access.texi: Likewise. Mention a related security
+ problem.
+ * doc/glibc-functions/euidaccess.texi: Mention security problems.
+ * lib/euidaccess.c: Add comments about platforms.
+ * lib/unistd.in.h (access, euidaccess): Add warnings.
+
2010-03-07 Bruno Haible <bruno@clisp.org>
Ensure posix_spawnattr_{get,set}sched{policy,param} are defined.
Portability problems not fixed by Gnulib:
@itemize
@end itemize
+
+Other problems of this function:
+@itemize
+@item
+There is an inherent race between calling this function and performing
+some action based on the results; you should think twice before trusting
+this function, especially in a set-uid or set-gid program.
+@item
+This function does not have an option for not following symbolic links
+(like @code{stat} versus @code{lstat}). If you need this option, use
+the Gnulib module @code{faccessat} with the @code{AT_EACCESS} flag.
+@end itemize
This function uses the effective id instead of the real id on some
platforms:
Cygwin 1.5.x.
+@end itemize
+
+Other problems of this function:
+@itemize
@item
There is an inherent race between calling this function and performing
-some action based on the results; you should think twice before
-trusting this function in a set-uid or set-gid program.
+some action based on the results; you should think twice before trusting
+this function, especially in a set-uid or set-gid program.
+@item
+This function does not have an option for not following symbolic links
+(like @code{stat} versus @code{lstat}). If you need this option, use
+the Gnulib module @code{faccessat} with the @code{AT_EACCESS} flag.
@end itemize
Portability problems not fixed by Gnulib:
@itemize
+@end itemize
+
+Other problems of this function:
+@itemize
@item
There is an inherent race between calling this function and performing
-some action based on the results; you should think twice before
-trusting this function in a set-uid or set-gid program.
+some action based on the results; you should think twice before trusting
+this function, especially in a set-uid or set-gid program.
@end itemize
int
euidaccess (const char *file, int mode)
{
-#if HAVE_FACCESSAT
+#if HAVE_FACCESSAT /* glibc */
return faccessat (AT_FDCWD, file, mode, AT_EACCESS);
-#elif defined EFF_ONLY_OK
+#elif defined EFF_ONLY_OK /* IRIX, OSF/1, Interix */
return access (file, mode | EFF_ONLY_OK);
-#elif defined ACC_SELF
+#elif defined ACC_SELF /* AIX */
return accessx (file, mode, ACC_SELF);
-#elif HAVE_EACCESS
+#elif HAVE_EACCESS /* FreeBSD */
return eaccess (file, mode);
-#else
+#else /* MacOS X, NetBSD, OpenBSD, HP-UX, Solaris, Cygwin, mingw, BeOS */
uid_t uid = getuid ();
gid_t gid = getgid ();
#endif
+#if defined GNULIB_POSIXCHECK
+/* The access() function is a security risk. */
+_GL_WARN_ON_USE (access, "the access function is a security risk - "
+ "use the gnulib module faccessat instead");
+#endif
+
+
#if @GNULIB_CHOWN@
# if @REPLACE_CHOWN@
# undef chown
the current process. */
extern int euidaccess (const char *filename, int mode) _GL_ARG_NONNULL ((1));
# endif
+# if defined GNULIB_POSIXCHECK
+/* Like access(), this function is a security risk. */
+_GL_WARN_ON_USE (euidaccess, "the euidaccess function is a security risk - "
+ "use the gnulib module faccessat instead");
+# endif
#elif defined GNULIB_POSIXCHECK
# undef euidaccess
# if HAVE_RAW_DECL_EUIDACCESS
projects / pspp / commitdiff