On Wed, Jan 21, 2009 at 4:10 AM, Joerg Schilling <[email protected]> wrote: > David Bartley <[email protected]> wrote: > >> On Tue, Jan 13, 2009 at 5:12 AM, <[email protected]> wrote: >> > >> > I see no reason for "access(file, X_OK))" should return 0 for >> > ordinary files which have no execute bit set. >> > >> > I think we can just change that. >> >> This behaviour is controlled by the file_dac_execute privilege. >> Processes running as root will always get this privilege in their > > Even root can execute things only if at least one "x" bit has been set. > The file_dac_execute privilege just controls wheter the "right" bit is > required > or whether any "x" bit would be OK.
Ah, ok. Right now it looks there's no check in the VOP_ACCESS path (specifically secpolicy_vnode_access, where file_dac_execute is checked) for whether at least one execute bit is set. exec has this check [1], so this explains why you can't actually execute some files even though access says you should be able to. Could we perhaps just copy this check into secpolicy_vnode_access in the VEXEC branch [2]? [1] http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/uts/common/os/exec.c#947 [2] http://src.opensolaris.org/source/xref/onnv/onnv-gate/usr/src/uts/common/os/policy.c#856 -- David _______________________________________________ opensolaris-code mailing list [email protected] http://mail.opensolaris.org/mailman/listinfo/opensolaris-code
