From nobody Thu May 23 02:47:15 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4VlCJ345t1z5LZck; Thu, 23 May 2024 02:47:15 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4VlCJ32zx0z45rN; Thu, 23 May 2024 02:47:15 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1716432435; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=7gUCz20Txw/JcsXdsm3tB4WA9PBAMAbt3ztF1bQGv8o=; b=UG7kPrXFZi3el0NqcfPGZGGTgl8x1lHS9CJVwwHmwNv7bK91U+e3BL55CE0QlMdgCY4uIA f4DrmqktW8JE1axgh+I0AmLAEL4HViSoOxQq7t+Y+YCzZTMuiYmLxfiPsW8DLEkalP6cyU F0aKWtlufoSbw5H5mAkuKHI6a0meMmfNibgyCugJWuFOmoMftkonQ4g3N2exNNFD07VKkd qNfXiLEcn2Zv0ccqK5nJXH0RX+ghIUvgroGCwH8Fh63+yBcA8b2z6Ji2BrGi96nrm6WO09 YhkWSodWrko/924df5MhDFbfUHp2fGtT7LO2HO6aPYsjI0hJTZROyR6t4nUpEw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1716432435; a=rsa-sha256; cv=none; b=bhpU4JRMhly+UafgGKH5Erc/wDmLvt+reMkGiJ1sQK/v7WCqvlmchI7zB7I/CH0m6d0g34 lvJYMwqRwHfj8MKee9tfqPAt7UQkN6t1BZYy6cJwdAhnntvLTVm5jzvxVv27WPiT8Xox/b o+dUC0ybEfUIsN3mKTFDK9FAYbez4yO3/fxPywBQpgfHKj7dwyH4yeskjZgA7o/F26OjtW jOeAczAkVjWzOOtlmuf2Dfi/SCj0vFs6/UdITsP0A8VzKr5OQ2ClG/PfzXcPM7gbIkWGf1 OMHZw0oiKTZQE18YYbUQ2CvV4SF1GvnQ6Z/2Fo9DTrdYc6m/YFi8fKt2Xc/Bzw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1716432435; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=7gUCz20Txw/JcsXdsm3tB4WA9PBAMAbt3ztF1bQGv8o=; b=KyUprN4IaXriv2K6NQOh4n6ZNdS25xf81JaWLfVMMpFTD1rmvZMEJQrnTx3Nxj58/4lwUf MFyBfo+JWUgo5qvQSBAIkezPpSZ/4tdJC+ieGNNpMLFGBD3cfsFL0hB3jbRZEuUku3FxmB KeVTqnsJDC9yt0jEomVlgwiqdBswVPen4X9i34nidYLbVJbYW5LcxN0GFPn8ZsziGXYOaj mhp+gfJNek16KVsaSxhqKnEwh6A3yGZSEF7ZPAbu4yuWoeLnNB7kP0DJitpqs4Q/1RYQPG H37X4TozH87c1Pu0JA5wyd137rQnKR396FKDPiHY3if7z7VMKRkDT4KOsTpaVw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4VlCJ31pZCzXsJ; Thu, 23 May 2024 02:47:15 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 44N2lFkI057507; Thu, 23 May 2024 02:47:15 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 44N2lFMP057504; Thu, 23 May 2024 02:47:15 GMT (envelope-from git) Date: Thu, 23 May 2024 02:47:15 GMT Message-Id: <202405230247.44N2lFMP057504@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Dag-Erling =?utf-8?Q?Sm=C3=B8rgrav?= Subject: git: fb18c369c32d - releng/14.1 - access(2): Discourage use of these system calls. List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: des X-Git-Repository: src X-Git-Refname: refs/heads/releng/14.1 X-Git-Reftype: branch X-Git-Commit: fb18c369c32d746569e36ae7dca7dad43bcc118e Auto-Submitted: auto-generated The branch releng/14.1 has been updated by des: URL: https://cgit.FreeBSD.org/src/commit/?id=fb18c369c32d746569e36ae7dca7dad43bcc118e commit fb18c369c32d746569e36ae7dca7dad43bcc118e Author: Dag-Erling Smørgrav AuthorDate: 2024-05-21 22:35:22 +0000 Commit: Dag-Erling Smørgrav CommitDate: 2024-05-23 02:45:55 +0000 access(2): Discourage use of these system calls. Fixes: 421025a274fb PR: 262895 MFC after: 3 days Reviewed by: emaste Differential Revision: https://reviews.freebsd.org/D45240 (cherry picked from commit a4be1eb21165d7aedae9dc6634528619ff10d025) (cherry picked from commit 79b39f23e1341bdc3ab9c6a08e1506d40b8b6dbc) Approved by: re (cperciva) --- lib/libc/sys/access.2 | 105 ++++++++++++++++++++++++-------------------------- 1 file changed, 50 insertions(+), 55 deletions(-) diff --git a/lib/libc/sys/access.2 b/lib/libc/sys/access.2 index 64ed1133b23d..8595444720b1 100644 --- a/lib/libc/sys/access.2 +++ b/lib/libc/sys/access.2 @@ -27,7 +27,7 @@ .\" .\" @(#)access.2 8.2 (Berkeley) 4/1/94 .\" -.Dd May 13, 2024 +.Dd May 21, 2024 .Dt ACCESS 2 .Os .Sh NAME @@ -47,35 +47,43 @@ .Fn faccessat "int fd" "const char *path" "int mode" "int flag" .Sh DESCRIPTION The -.Fn access -and +.Fn access , .Fn eaccess -system calls check the accessibility of the -file named by -the +and +.Fn faccessat +system calls report whether an attempt to access the file designated +by their .Fa path -argument -for the access permissions indicated by -the +in the manner described by their .Fa mode -argument. +argument is likely to succeed. The value of .Fa mode -is either the bitwise-inclusive OR of the access permissions to be -checked -.Dv ( R_OK +is either the bitwise-inclusive OR of the desired permissions +.Po +.Dv R_OK for read permission, .Dv W_OK for write permission, and .Dv X_OK -for execute/search permission), -or the existence test -.Pq Dv F_OK . +for execute / search permission +.Pc +or +.Dv F_OK +to simply check whether the file exists. .Pp -For additional information, see the -.Sx "File Access Permission" -section of -.Xr intro 2 . +For a number of reasons, these system calls cannot be relied upon to +give a correct and definitive answer. +They can at best provide an early indication of the expected outcome, +to be confirmed by actually attempting the operation. +For existence checks, either +.Xr stat 2 +or +.Xr lstat 2 +should be used instead. +See also +.Sx SECURITY CONSIDERATIONS +below. .Pp The .Fn eaccess @@ -89,6 +97,13 @@ the real user ID in place of the effective user ID, the real group ID in place of the effective group ID, and the rest of the group access list. .Pp +See the +.Sx DEFINITIONS +section of +.Xr intro 2 +for additional information on file access permissions and real +vs. effective user and group IDs. +.Pp The .Fn faccessat system call is equivalent to @@ -116,8 +131,10 @@ list, defined in .In fcntl.h : .Bl -tag -width indent .It Dv AT_EACCESS -The checks for accessibility are performed using the effective user and group -IDs instead of the real user and group ID as required in a call to +The checks are performed using the effective user and group IDs, +like +.Fn eaccess , +instead of the real user and group ID, like .Fn access . .It Dv AT_RESOLVE_BENEATH Only walk paths below the directory specified by the @@ -149,23 +166,15 @@ Likewise for .Dv R_OK and .Dv W_OK . -.Pp -.Fn access , -.Fn eaccess -and -.Fn faccessat -will always dereference symbolic links. -If the symbolic link itself needs to be referenced, -.Xr lstat 2 -should be used instead. .Sh RETURN VALUES .Rv -std .Sh ERRORS +The .Fn access , .Fn eaccess , -or +and .Fn faccessat -will fail if: +system calls may fail if: .Bl -tag -width Er .It Bq Er EINVAL The value of the @@ -256,25 +265,11 @@ system call appeared in .Fx 8.0 . .Sh SECURITY CONSIDERATIONS The -.Fn access -system call -is a potential security hole due to race conditions and -should never be used. -Set-user-ID and set-group-ID applications should restore the -effective user or group ID, -and perform actions directly rather than use -.Fn access -to simulate access checks for the real user or group ID. -The -.Fn eaccess -system call -likewise may be subject to races if used inappropriately. -.Pp -.Fn access -remains useful for providing clues to users as to whether operations -make sense for particular filesystem objects (e.g. 'delete' menu -item only highlighted in a writable folder ... avoiding interpretation -of the st_mode bits that the application might not understand -- -e.g. in the case of AFS). -It also allows a cheaper file existence test than -.Xr stat 2 . +.Fn access , +.Fn eaccess , +and +.Fn faccessat +system calls are subject to time-of-check-to-time-of-use races and +should not be relied upon for file permission enforcement purposes. +Instead, applications should perform the desired action using the +requesting user's credentials.