[Bug 370749] Re: dash's test ("[") builtin uses stat() instead of access()

Bug Watch Updater 370749 at bugs.launchpad.net
Sat Aug 20 02:23:30 UTC 2011 

** Changed in: dash (Debian)
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to dash in Ubuntu.
https://bugs.launchpad.net/bugs/370749

Title:
  dash's test ("[") builtin uses stat() instead of access()

Status in “dash” package in Ubuntu:
  New
Status in “dash” package in Debian:
  Fix Released

Bug description:
  Binary package hint: dash

  The -r and -w (and possibly -x) flags to the test (aka "[") builtin,
  in other shells like bash, as well as the /usr/bin/[ from coreutils,
  use the access() system call to determine whether you have the ability
  to read or write a file. dash's test, however, uses the stat() system
  call, and manually checks the permission bits against your uid. This can
  cause incorrect results on filesystems where there are more (or fewer)
  permission checks than just the UNIX mode, such as most networked
  filesystems. For instance, I have tax forms in AFS with mode 666, but my home directory is only actually readable if you have my credentials. dash doesn't realize this:

  kid-icarus:~ geofft$ ls -l Form1098t.pdf 
  -rw-rw-rw- 1 geofft 501 25423 2007-04-01 23:28 Form1098t.pdf
  kid-icarus:~ geofft$ [ -r Form1098t.pdf ] && echo yes
  yes
  kid-icarus:~ geofft$ unlog
  kid-icarus:~ geofft$ [ -r Form1098t.pdf ] && echo yes
  kid-icarus:~ geofft$ /usr/bin/[ -r Form1098t.pdf ] && echo yes
  kid-icarus:~ geofft$ dash -c '[ -r Form1098t.pdf ] && echo yes'
  yes
  kid-icarus:~ geofft$ cat Form1098t.pdf 
  cat: Form1098t.pdf: Permission denied

  dash should be changed to use access() instead, which will still
  return the correct answer on a filesystem that uses UNIX modes solely,
  but will ALSO return the correct answer on a filesystem that does
  something different and has an appropriate implementation of access().

  There are warnings in access's manpage about a TOCTOU attack if you
  attempt to secure something by taking advantage of access() checking
  real UID whereas open() checks effective UID. This is basically
  irrelevant for shells, since you never have setuid shell scripts (and
  I've never seen a setuid shell). Something like "sudo sh" will set
  both the real and effective UIDs to root.

  (The example above used Jaunty, with dash 0.5.4-12ubuntu2.)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dash/+bug/370749/+subscriptions

More information about the foundations-bugs mailing list