[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Support for file ACL -- Access Control Lists [Patch included]

From: werner
Subject: Support for file ACL -- Access Control Lists [Patch included]
Date: Thu, 4 Jun 2009 14:39:41 +0200

Configuration Information [Automatically generated, do not change]:
Machine: i586
OS: linux-gnu
Compiler: gcc -I/usr/src/packages/BUILD/bash-4.0 
Compilation CFLAGS:  -DPROGRAM='bash' -DCONF_HOSTTYPE='i586' 
-DCONF_OSTYPE='linux-gnu' -DCONF_MACHTYPE='i586-suse-linux-gnu' 
-DCONF_VENDOR='suse' -DLOCALEDIR='/usr/share/locale' -DPACKAGE='bash' -DSHELL 
-DHAVE_CONFIG_H   -I.  -I. -I./include -I./lib   -O2 -march=i586 -mtune=i686 
-fmessage-length=0 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables 
-fasynchronous-unwind-tables -g -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64 
-D_GNU_SOURCE -DRECYCLES_PIDS -Wall -g -std=gnu89 -Wextra 
-Wno-unprototyped-calls -Wno-switch-enum -Wno-unused-variable 
-Wno-unused-parameter -ftree-loop-linear -pipe -fprofile-use
uname output: Linux boole #1 SMP 2009-02-25 15:40:44 +0100 
i686 i686 i386 GNU/Linux
Machine Type: i586-suse-linux-gnu

Bash Version: 4.0
Patch Level: 24
Release Status: release

        If the user has access to a script through an ACL but not through
        the file mode permission bits, bash will refuse to source the script
        unless the full path is given.  Using eaccess(3) from glibc solves
        the problem and also works with standard mode permission bits.

        Use chmod(1) and setfacl(1) to make a script only available through
        ACL file attributes.

--- findcmd.c
+++ findcmd.c   2009-06-04 12:03:16.094615177 +0200
@@ -93,7 +93,22 @@ file_status (name)
   r = FS_EXISTS;
-#if defined (AFS)
+#if defined (HAVE_EACCESS)     /* FreeBSD, GLIBC_2.4+ */
+  /* For support of ACL's use eaccess(3) if found e.g. glibc 2.4 and up:
+   * Like  access(2), euidaccess(3) checks permissions and existence of the
+   * file identified by its argument pathname.  However, whereas access(2),
+   * performs checks using the real user and group identifiers of the pro-
+   * cess, euidaccess(3) uses the effective identifiers.
+   * eaccess(3) is a synonym for euidaccess(3), provided for compatibility
+   * with some other systems. */
+  if (eaccess (name, X_OK) == 0)
+      r |= FS_EXECABLE;
+  if (eaccess (name, R_OK) == 0)
+      r |= FS_READABLE;
+#elif defined (AFS)
   /* We have to use access(2) to determine access because AFS does not
      support Unix file system semantics.  This may produce wrong
      answers for non-AFS files when ruid != euid.  I hate AFS. */
@@ -102,8 +117,7 @@ file_status (name)
   if (access (name, R_OK) == 0)
     r |= FS_READABLE;
-  return r;
-#else /* !AFS */
+#else /* !AFS && !HAVE_EACCESS */
   /* Find out if the file is actually executable.  By definition, the
      only other criteria is that the file has an execute bit set that
@@ -146,8 +160,8 @@ file_status (name)
        r |= FS_READABLE;
+#endif /* !AFS && !HAVE_EACCESS */
   return r;
-#endif /* !AFS */
 /* Return non-zero if FILE exists and is executable.
--- lib/sh/eaccess.c
+++ lib/sh/eaccess.c    2009-06-04 11:59:33.165901707 +0200
@@ -201,7 +201,7 @@ sh_eaccess (path, mode)
   if (path_is_devfd (path))
     return (sh_stataccess (path, mode));
-#if defined (HAVE_EACCESS)             /* FreeBSD */
+#if defined (HAVE_EACCESS)             /* FreeBSD, GLIBC_2.4+ */
   return (eaccess (path, mode));
 #elif defined (EFF_ONLY_OK)            /* SVR4(?), SVR4.2 */
   return access (path, mode|EFF_ONLY_OK);

reply via email to

[Prev in Thread] Current Thread [Next in Thread]