netbsd-bugs: kern/3461: root gets execute-permission even on non-exec-files

Subject: kern/3461: root gets execute-permission even on non-exec-files
To: None <gnats-bugs@gnats.netbsd.org, hubert.feyrer@rz.uni-regensburg.de>
From: Hubert Feyrer <feyrer@rfhs8012.fh-regensburg.de>
List: netbsd-bugs
Date: 04/08/1997 05:01:24

>Number:         3461
>Category:       kern
>Synopsis:       root gets execute-permission even on non-exec-files
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    kern-bug-people (Kernel Bug People)
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Mon Apr  7 20:05:01 1997
>Last-Modified:
>Originator:     Hubert Feyrer
>Organization:
Hubert Feyrer <hubert.feyrer@rz.uni-regensburg.de>
>Release:        1.2
>Environment:
	
System: NetBSD miyu 1.2 NetBSD 1.2 (MIYU) #70: Tue Apr 8 04:18:20 MET DST 1997 feyrer@miyu:/usr/src12/sys/arch/i386/compile/MIYU i386


>Description:
	root gets execute-permission even on non-executable files
	(the ones with x-bit set) when checking with access(2).
	This is annoying if you want to see if a file can be
	executed directly or must be passed to some shell. 

>How-To-Repeat:
	as root, do: 
	# [ -x /etc/passwd ] ; echo $?
	(assuming /etc/passwd is mode 644)

>Fix:

Patch for /usr/src/sys/kern/vfs_subr.c (as of NetBSD V1.2) to return 
EACCESS when asking for execute-access as root.

Issues:
 - is the test for S_IXUSR ok?
 - should the test make sure that EACCESS is only returned when accessing
   a vnode of type VREG? (vaccess would need to get a vnode-ptr then)


 - Hubert Feyrer <hubert.feyrer@rz.uni-regensburg.de>



*** vfs_subr.c.orig	Tue Apr  8 04:29:09 1997
--- vfs_subr.c	Tue Apr  8 04:29:32 1997
***************
*** 1501,1509 ****
  {
  	mode_t mask;
  	
! 	/* User id 0 always gets access. */
  	if (cred->cr_uid == 0)
! 		return 0;
  	
  	mask = 0;
  	
--- 1501,1512 ----
  {
  	mode_t mask;
  	
! 	/* User id 0 always gets access, unless executing. */
  	if (cred->cr_uid == 0)
! 	      if ((acc_mode & VEXEC) && !(file_mode & S_IXUSR))
! 	            return EACCESS;
!               else
!                     return 0;
  	
  	mask = 0;
  	



Here's the corresponding fix for /usr/src/lib/libc/sys/access.2:

*** access.2.orig       Tue Apr  8 04:38:35 1997
--- access.2    Tue Apr  8 04:39:14 1997
***************
*** 71,84 ****
  and the real group access list
  (including the real group ID) are
  used in place of the effective ID for verifying permission.
- .Pp
- Even if a process has appropriate privileges and indicates success for
- .Dv X_OK ,
- the file may not actually have execute permission bits set.
- Likewise for
- .Dv R_OK
- and
- .Dv W_OK .
  .Sh RETURN VALUES
  If
  .Fa path
--- 71,76 ----

>Audit-Trail:
>Unformatted: