From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jamie Lokier Subject: Re: SELinux and access(2), we want to know. Date: Fri, 8 May 2009 14:14:51 +0100 Message-ID: <20090508131451.GA3593@shareable.org> References: <1241723924.2791.107.camel@localhost.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: selinux@tycho.nsa.gov, linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, viro@ZenIV.linux.org.uk, sds@tycho.nsa.gov To: Eric Paris Return-path: Content-Disposition: inline In-Reply-To: <1241723924.2791.107.camel@localhost.localdomain> Sender: linux-security-module-owner@vger.kernel.org List-Id: linux-fsdevel.vger.kernel.org Eric Paris wrote: > If a process calls access("/etc/shadow", R_OK) I claim > that we darn sure better return the same result that open("/etc/shadow", > O_RDONLY) would return. I'm guessing noone is going to argue that > point. This is actually wrong in general - and I see that several posters have repeated it as if it's a fact. Since the days prior to the new-fangled security models, access() is supposed to calculate access for the _real_ user and group of the process doing the access, whereas open() uses the _effective_ user and group. It is one of the things access() is useful for, in setuid/setgid programs. It should be quite obvious that there are corresponding concepts in modern security models, such as delegated authority, capabilities etc. which possibly ought to apply to access(), and which possibly affect how it's audited. -- Jamie