diff options
| author | Kaz Kylheku <kaz@kylheku.com> | 2019-05-29 06:34:37 -0700 |
|---|---|---|
| committer | Kaz Kylheku <kaz@kylheku.com> | 2019-05-29 06:34:37 -0700 |
| commit | 3961307b692a49f5463b909c1a7bc2a930e9fa8c (patch) | |
| tree | b7a37e05a5f97b2e743ecfeaadb24789ada79cc1 /txr.1 | |
| parent | a2279254bc56443ce4c9f0dd4cc51cf627332c4d (diff) | |
| download | txr-3961307b692a49f5463b909c1a7bc2a930e9fa8c.tar.gz txr-3961307b692a49f5463b909c1a7bc2a930e9fa8c.tar.bz2 txr-3961307b692a49f5463b909c1a7bc2a930e9fa8c.zip | |
path-private-to-me-p: bugfix: not including superuser.
* share/txr/stdlib/path-test.tl (path-private-to-me,
path-strictly-private-to-me): These functions were neglecting
to trust the root user, as documented. If the file is owned
by root, we treat it as if it were owned by the caller.
Furthermore, if we have to process the group membership, we
allow the group to contain the superuser's name.
* txr.1: Documentation improved, and the treatment of
groups documented.
Diffstat (limited to 'txr.1')
| -rw-r--r-- | txr.1 | 36 |
1 files changed, 22 insertions, 14 deletions
@@ -53870,8 +53870,8 @@ The rules which the function applies are as follows: A file to be examined is initially assumed to be strictly private. -If the file is not owned by the effective user ID of the caller, then -it is not private. +If the file is not owned by the effective user ID of the caller, or +else by the superuser, then it is not private. If the file grants write permission to "others", then it is not private. @@ -53879,12 +53879,12 @@ If the file grants read permission to "others", then it is not strictly private. If the file grants write permission to the group owner, then it is not -private, unless either the group is empty, or else the group has exactly one -member, who is the owner of the file. +private if the group contains names other than that of the file owner or the +superuser. If the file grants read permission to the group owner, then it is not -strictly private, unless either the group is empty, or else the group has -exactly one member, who is the owner of the file. +strictly private if the group contains names other than that of the file owner +or the superuser. Note that this interpretation of "private" and "strictly private" is vulnerable to the following time-of-check to time-of-use race condition with regard to the @@ -53898,15 +53898,23 @@ race if .meta path is a string rather than a .code stat -structure. If the directory which contains the file is writable to others, the -file can pass the check at the time the function is called, but before it is -used, the file can be replaced by another file with different permissions. -To guard against this race, one must open the file, and then use +structure. If any components of the +.meta path +are symbolic links or directories that can be manipulated by other +users, then the object named by +.meta path +file can pass the check, but can later +.meta path +can be subverted to refer to a different object. + +One way to guard against this race is to open the file, then use .code fstat -on the stream, using the structure returned by fstat to perform the check, -with the understanding that it applies only to the open file, and not -necessarily to whatever object may now be retrieved by the original -directory entry. +on the stream to obtain a +.code stat +structure which is then used as an argument to +.code path-private-to-me-p +or +.codn path-strictly-private-to-me-p . .coNP Functions @ path-newer and @ path-older .synb |