Red Hat Bugzilla – Bug 124037
os.access erroneously reports writable file not writable in setuid environment
Last modified: 2007-11-30 17:10:43 EST
Description of problem:
I wrap a Python CGI with a setuid wrapper written in C. When
executing this program on my Fedora Core 2 workstation,
os.access(<filename>, os.W_OK) returns 0 (i.e. "not accessible") for a
file that *is* writable by the owner of the CGI, i.e. the user to
which the effective UID has been set. os.geteuid correctly returns
the effective UID of the CGI owner, but os.access apparently looks
elsewhere for that value, although its documentation claims:
access( path, mode)
Use the real uid/gid to test for access to path. Note that most
operations will use the effective uid/gid, therefore this routine can
be used in a suid/sgid environment to test if the invoking user has
the specified access to path.
Note that "man 2 access," which documents the system call os.access
uses, also claims to be using the real uid/gid, but it never claims to
use the effective uid/gid or be usable in a setuid environment (except
for determining whether the invoking user would have access to a file
that the effective user has access to).
This may not be a bug, since os.access only claims to use the
effective UID most of the time, but if not it's at least worthy of
documentation in release notes. Note that the script I'm writing on
my Fedora workstation gets published to a FreeBSD 4.8-STABLE server
also running Python 2.3.3 on which this problem does not occur.
Version-Release number of selected component (if applicable): Fedora
Core 2, Python 2.3.3
How reproducible: Happens every time.
will have a look.
Fedora Core 2 is now maintained by the Fedora Legacy project for
security updates only. If this problem is a security issue, please
reopen and reassign to the Fedora Legacy product. If it is not a
security issue and hasn't been resolved in the current FC3 updates or
in the FC4 test release, reopen and change the version to match.