Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

util_file_readable does not check what one expects it to check #899

Open
valentin-krasontovitsch opened this issue Feb 16, 2023 · 0 comments
Open

util_file_readable does not check what one expects it to check #899

valentin-krasontovitsch opened this issue Feb 16, 2023 · 0 comments

Comments

@valentin-krasontovitsch
Copy link

util_file_readable uses util_entry_readable (and util_is_file, not focussed on here) - that function, util_entry_readable, looks as follows:

bool util_entry_readable(const char *entry) {                                                                                                                                                         
    stat_type buffer;                                                                                                                                                         
    if (util_stat(entry, &buffer) == 0)                                                                                                                                                                               
        return buffer.st_mode & S_IRUSR;                                                                                                                                                                                       
    else                                                                                                                                                         
        return false;  
}

we're getting the stat of the file, and check the mode for S_IRUSR bit being set.
from the glibc docs:

S_IREAD
Read permission bit for the owner of the file. On many systems this bit is 0400.
S_IREAD is an obsolete synonym provided for BSD compatibility.

so we only check whether the owner of the file can read the file.

this check returns true, say for a file with mode 0400 and owner root:root, but cannot be read by a non-root user.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@valentin-krasontovitsch