[webstack-discuss] [sfwnv-discuss] Ruby File.readable doesn't work with ACL

Tue, 26 Jan 2010 09:04:51 PST 

> Ruby seems to prefer to check access rights based on
> effective uid where 
> possible and not on the actual uid and some platforms
> provide a system 
> call to facilitate this. OpenSolaris doesn't so the
> fallback is to 
> perform manual checks using the 'mode' of the
> file/directory. This 
> completely ignores any ACLs that may be set on that
> file/directory. The 
> access() system call is a standard C-library function
> and on OpenSolaris 
> it works with ACLs but as it uses the real uid it's
> only used as a 
> fallback if a platform has no way to determine
> effective uid. 
> OpenSolaris does, so access() is never used.
>

Thanks for the helpful explanation, in this case, I think there is a solution.

Just checked `man access`, and there is a faccessat() call can use AT_EACCESS 
flag to check permission with effective uid/gid. Quoted below,

The faccessat() function is equivalent to the access() func-
     tion,  except  in  the  case where path specifies a relative
     path. In this case the file whose  accessibility  is  to  be
     determined  is  located relative to the directory associated
     with the file descriptor fd instead of the  current  working
     directory.

     If faccessat() is passed in the  fd  parameter  the  special
     value  AT_FDCWD,  defined  in <fcntl.h>, the current working
     directory is used and the behavior is identical to a call to
     access().

     Values for flag are constructed by a bitwise-inclusive OR of
     flags from the following list, defined in <fcntl.h>:

     AT_EACCESS    The checks  for  accessibility  are  performed
                   using the effective user and group IDs instead
                   of the real user and group ID as required in a
                   call to access().
 
> Basically for OpenSolaris the whole thing needs a
> rethink.
> 
> I'll raise an RFE for it. Did you look at Daniel
> Berger's solaris-file 
> ruby extension
> (http://github.com/djberg96/solaris-file)?
> Unfortunately 
> it doesn't extend File.readable?, etc, it just adds
> ACL support.
> 

No, I missed it somehow. Now google search finds it at github, seems to be 
added on Jan. 17. Thanks again for the pointer.

Cheers,
Henry
-- 
This message posted from opensolaris.org

Reply via email to