Bug related to ACLs in cvsweb
Johan Myreen
jem at iki.fi
Sat May 25 13:46:51 UTC 2013
Hi.
Due to a Perl misfeature, cvsweb.cgi does not work correctly if Access
Control Lists (ACLs) are in use. The script includes the pragma
use filetest qw(access);
This pragma changes how Perl does permission checks on files and
directories; instead of using stat(), permissions are checked using
access(). The problem is that the script uses the cached value of a
stat() call to check permissions, using the special filehandle _.
When the filetest 'access' pragma is in use, the -r $file, -w $file and
-x $file tests do not set the cache (because no call to stat() is made).
What's worse, when the stat cache is set, e.g. as a result of -d $file,
it contains the wrong value for a -r _ test. The stat cache contains the
traditional rwx mode bits, and does not reflect any additional
permissions granted by the ACL. See: http://perldoc.perl.org/filetest.html
ACLs are very useful when used with cvsweb. You can grant the 'www-data'
user read permission to the repository files without opening them up to
all users on the server (with chmod o+r). Of course, you could add user
'www-data' to the 'cvs' group, but that would mean 'www-data' would have
write permission to the repository.
Patch attached.
Keywords: cvsweb acl bug filetest access
Johan Myréen
jem at iki.fi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cvsweb.diff
Type: text/x-patch
Size: 2219 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-cvsweb/attachments/20130525/016ac8cd/attachment.bin>
More information about the freebsd-cvsweb
mailing list