git-compat-util: work around for access(X_OK) under root
authorClément Chigot <clement.chigot@atos.net>
Thu, 25 Apr 2019 07:01:56 +0000 (07:01 +0000)
committerJunio C Hamano <gitster@pobox.com>
Thu, 25 Apr 2019 08:49:44 +0000 (17:49 +0900)
On AIX, access(X_OK) may succeed when run as root even if the
execution isn't possible. This behavior is allowed by POSIX
which says:

... for a process with appropriate privileges, an implementation
may indicate success for X_OK even if execute permission is not
granted to any user.

It can lead hook programs to have their execution refused:

git commit -m content
fatal: cannot exec '.git/hooks/pre-commit': Permission denied

Add NEED_ACCESS_ROOT_HANDLER in order to use an access helper function.
It checks with stat if any executable flags is set when the current user
is root.

Signed-off-by: Clément Chigot <clement.chigot@atos.net>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
Makefile
compat/access.c [new file with mode: 0644]
compat/fileno.c
config.mak.uname
git-compat-util.h
index c5240942f29e788ac08daa9329de52aaa3415708..b5e2822d82d4b904de004c1e5c2d154b6bb33115 100644 (file)
--- a/Makefile
+++ b/Makefile
@@ -439,6 +439,9 @@ all::
 #
 # Define FILENO_IS_A_MACRO if fileno() is a macro, not a real function.
 #
+# Define NEED_ACCESS_ROOT_HANDLER if access() under root may success for X_OK
+# even if execution permission isn't granted for any user.
+#
 # Define PAGER_ENV to a SP separated VAR=VAL pairs to define
 # default environment variables to be passed when a pager is spawned, e.g.
 #
@@ -1815,6 +1818,11 @@ ifdef FILENO_IS_A_MACRO
        COMPAT_OBJS += compat/fileno.o
 endif
 
+ifdef NEED_ACCESS_ROOT_HANDLER
+       COMPAT_CFLAGS += -DNEED_ACCESS_ROOT_HANDLER
+       COMPAT_OBJS += compat/access.o
+endif
+
 ifeq ($(TCLTK_PATH),)
 NO_TCLTK = NoThanks
 endif
diff --git a/compat/access.c b/compat/access.c
new file mode 100644 (file)
index 0000000..19fda3e
--- /dev/null
@@ -0,0 +1,31 @@
+#define COMPAT_CODE_ACCESS
+#include "../git-compat-util.h"
+
+/* Do the same thing access(2) does, but use the effective uid,
+ * and don't make the mistake of telling root that any file is
+ * executable.  This version uses stat(2).
+ */
+int git_access(const char *path, int mode)
+{
+       struct stat st;
+
+       /* do not interfere a normal user */
+       if (geteuid())
+               return access(path, mode);
+
+       if (stat(path, &st) < 0)
+               return -1;
+
+       /* Root can read or write any file. */
+       if (!(mode & X_OK))
+               return 0;
+
+       /* Root can execute any file that has any one of the execute
+        * bits set.
+        */
+       if (st.st_mode & (S_IXUSR | S_IXGRP | S_IXOTH))
+               return 0;
+
+       errno = EACCES;
+       return -1;
+}
index 7b105f4cd71a4ea4c1ae9f537ef0fe3eea7d9dc3..8e80ef335d84ecf5ccec6c5994e684c3951cca17 100644 (file)
@@ -1,4 +1,4 @@
-#define COMPAT_CODE
+#define COMPAT_CODE_FILENO
 #include "../git-compat-util.h"
 
 int git_fileno(FILE *stream)
index 4ef11ce41873b03e1a22453f0fafcf3399efd199..97ebacc1c5cc8250186f3e48f4d4b6a86fed6460 100644 (file)
@@ -270,6 +270,7 @@ ifeq ($(uname_S),AIX)
        NEEDS_LIBICONV = YesPlease
        BASIC_CFLAGS += -D_LARGE_FILES
        FILENO_IS_A_MACRO = UnfortunatelyYes
+       NEED_ACCESS_ROOT_HANDLER = UnfortunatelyYes
        ifeq ($(shell expr "$(uname_V)" : '[1234]'),1)
                NO_PTHREADS = YesPlease
        else
index 6573808ebd991b52eca7cc644af4c9611b9c3747..e3c79b14782dba08eecc64c2352b98e6e08116a1 100644 (file)
@@ -1236,12 +1236,22 @@ struct tm *git_gmtime_r(const time_t *, struct tm *);
 
 #ifdef FILENO_IS_A_MACRO
 int git_fileno(FILE *stream);
-# ifndef COMPAT_CODE
+# ifndef COMPAT_CODE_FILENO
 #  undef fileno
 #  define fileno(p) git_fileno(p)
 # endif
 #endif
 
+#ifdef NEED_ACCESS_ROOT_HANDLER
+int git_access(const char *path, int mode);
+# ifndef COMPAT_CODE_ACCESS
+#  ifdef access
+#  undef access
+#  endif
+#  define access(path, mode) git_access(path, mode)
+# endif
+#endif
+
 /*
  * Our code often opens a path to an optional file, to work on its
  * contents when we can successfully open it.  We can ignore a failure