可执行文件设置root suid,但是access(path, W_OK) 还是return -1?
Executable file set root suid, but access(path, W_OK) still return -1?
为什么可执行文件设置了root suid,但是access(path, W_OK)还是return -1?
代码:
#include <stdio.h>
#include <unistd.h>
int main()
{
printf("privilege => %d\n", access("/usr/local/etc/t.conf", W_OK));
return 0;
}
测试运行:
[www@mypy access]$ ll
总用量 12
-rwsrwxr-x. 1 root root 6600 1月 22 10:05 access
-rw-rw-r--. 1 www www 135 1月 22 10:05 access.c
[www@mypy access]$ ./access
privilege => -1
[root@mypy access]# ./access
privilege => 0
access
库函数故意检查真实用户的访问权限,忽略了可执行文件具有不同有效 UID/GID.
的事实
如果您只想知道是否可以进行读或写访问,您可以打开文件并查看是否有错误。但是,细心的 setuid 可执行文件通常想知道真实用户是否能够对文件执行操作。要找出答案,他们可以使用 access
库函数。
这在man 2 access
中有解释:
The check is done using the calling process's real UID and GID, rather than the effective IDs as is done when actually attempting an operation (e.g., open(2)
) on the file.…
This allows set-user-ID programs and capability-endowed programs to easily determine the invoking user's authority. In other words, access() does not answer the "can I read/write/execute this file?" question. It answers a slightly different question: "(assuming I'm a setuid binary) can the user who invoked me read/write/execute this file?", which gives set-user-ID programs the possibility to prevent malicious users from causing them to read files which users shouldn't be able to read.
感谢rici的回答!我完成如下
int accesswriteable(char const *path)
{
if(access(path, F_OK))
{
return 1;
}
FILE *fp = fopen(path, "a");
if(fp == NULL)
{
return 1;
}
fclose(fp);
return 0;
}
#define PATH_WRITE_ABLE(path) (accesswriteable(path) == 0)
为什么可执行文件设置了root suid,但是access(path, W_OK)还是return -1?
代码:
#include <stdio.h>
#include <unistd.h>
int main()
{
printf("privilege => %d\n", access("/usr/local/etc/t.conf", W_OK));
return 0;
}
测试运行:
[www@mypy access]$ ll
总用量 12
-rwsrwxr-x. 1 root root 6600 1月 22 10:05 access
-rw-rw-r--. 1 www www 135 1月 22 10:05 access.c
[www@mypy access]$ ./access
privilege => -1
[root@mypy access]# ./access
privilege => 0
access
库函数故意检查真实用户的访问权限,忽略了可执行文件具有不同有效 UID/GID.
如果您只想知道是否可以进行读或写访问,您可以打开文件并查看是否有错误。但是,细心的 setuid 可执行文件通常想知道真实用户是否能够对文件执行操作。要找出答案,他们可以使用 access
库函数。
这在man 2 access
中有解释:
The check is done using the calling process's real UID and GID, rather than the effective IDs as is done when actually attempting an operation (e.g.,
open(2)
) on the file.…This allows set-user-ID programs and capability-endowed programs to easily determine the invoking user's authority. In other words, access() does not answer the "can I read/write/execute this file?" question. It answers a slightly different question: "(assuming I'm a setuid binary) can the user who invoked me read/write/execute this file?", which gives set-user-ID programs the possibility to prevent malicious users from causing them to read files which users shouldn't be able to read.
感谢rici的回答!我完成如下
int accesswriteable(char const *path)
{
if(access(path, F_OK))
{
return 1;
}
FILE *fp = fopen(path, "a");
if(fp == NULL)
{
return 1;
}
fclose(fp);
return 0;
}
#define PATH_WRITE_ABLE(path) (accesswriteable(path) == 0)