A cleanup from Jeff King.
Signed-off-by: Jonathan Nieder <jrnieder@xxxxxxxxx>
---
wrapper.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
Jeff King wrote:
> I kind of wonder if we are doing anything with the check at this point.
> I suppose ENOMEM and EIO are the only interesting things left at this
> point. The resulting code would be much nicer if the patch were just:
>
> -access_or_die(...);
> +access(...);
>
> but I guess those conditions are still worth checking for, especially if
> we think an attacker could trigger ENOMEM intentionally. To be honest, I
> am not sure how possible that is, but it is not that hard to do so.
Yeah, I was tempted to go the plain access() route. The case that
convinced me not to is that I wouldn't want to think about whether
there could have been a blip in $HOME producing EIO when wondering how
some malformed object had been accepted. The ENOMEM case just seemed
simpler to explain.
I would also be surprised if it is easy to control kernel ENOMEM
carefully enough to exploit (a more likely DoS outcome is crashing
programs or a kernel assertion failure, which are more harmless in
their way). I've given up on predicting what is too hard or easy
enough for security folks. I couldn't think of an obviously easier
vulnerability that is already accepted to put my mind at ease.
[...]
> I know you are trying to be flexible with the flag,
I was mostly worried about damage to readability if we end up needing
to go further down this direction. The opportunity to look at all
call sites was also nice.
[...]
> static int access_error_is_ok(int err, int flag)
> {
> return err == ENOENT || errno == ENOTDIR ||
> (flag & ACCESS_EACCES_OK && err == EACCES);
> }
Nice. Here's a patch for squashing in.
diff --git a/wrapper.c b/wrapper.c
index e860ad1..29a866b 100644
--- a/wrapper.c
+++ b/wrapper.c
@@ -408,11 +408,16 @@ void warn_on_inaccessible(const char *path)
warning(_("unable to access '%s': %s"), path, strerror(errno));
}
+static int access_error_is_ok(int err, unsigned flag)
+{
+ return errno == ENOENT || errno == ENOTDIR ||
+ ((flag & ACCESS_EACCES_OK) && errno == EACCES);
+}
+
int access_or_warn(const char *path, int mode, unsigned flag)
{
int ret = access(path, mode);
- if (ret && errno != ENOENT && errno != ENOTDIR &&
- (!(flag & ACCESS_EACCES_OK) || errno != EACCES))
+ if (ret && !access_error_is_ok(errno, flag))
warn_on_inaccessible(path);
return ret;
}
@@ -420,8 +425,7 @@ int access_or_warn(const char *path, int mode, unsigned flag)
int access_or_die(const char *path, int mode, unsigned flag)
{
int ret = access(path, mode);
- if (ret && errno != ENOENT && errno != ENOTDIR &&
- (!(flag & ACCESS_EACCES_OK) || errno != EACCES))
+ if (ret && !access_error_is_ok(errno, flag))
die_errno(_("unable to access '%s'"), path);
return ret;
}
--
1.8.2.1
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html