fix: enforce POSIX path permission checks on stat/lstat#372
Draft
toddr-bot wants to merge 1 commit intocpan-authors:mainfrom
Draft
fix: enforce POSIX path permission checks on stat/lstat#372toddr-bot wants to merge 1 commit intocpan-authors:mainfrom
toddr-bot wants to merge 1 commit intocpan-authors:mainfrom
Conversation
stat() and lstat() now check execute (search) permission on every
ancestor directory when set_user() is active. Previously, stat()
returned file information regardless of directory permissions, allowing
any mock user to stat files in directories they couldn't traverse.
POSIX requires execute permission on each directory component to resolve
a path — e.g. stat("/a/b/c") needs execute on "/" , "/a", and "/a/b".
Root bypasses this check (root can always traverse directories).
Adds _check_path_perms() helper and 10 tests covering:
- Basic path permission enforcement for stat and lstat
- Deep paths with inaccessible intermediate directories
- Root bypass, owner/group permission triads
- Filehandle stat bypassing path checks (already open)
- File test operators (-e, -f) inheriting the restriction
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Enforce execute (search) permission on ancestor directories when stat/lstat resolve a path under
set_user().Why
POSIX requires execute permission on every directory component to resolve a path.
stat("/a/b/c")should fail with EACCES when the caller lacks execute on/aor/a/b. Without this check,set_user()users could inspect file metadata in directories they couldn't traverse — breaking the permission model that all other operations now enforce.Fixes #371.
How
_check_path_perms($path)helper that walks ancestor directories and checks execute permission via_check_perms(). Root bypasses the check entirely (root can always traverse directories, unlike the "needs at least one x bit" rule for executing regular files)._mock_stat()for path-based stat/lstat only — filehandle stat is correctly unaffected since the handle is already open.Testing
10 new tests in
t/stat_path_perms.tcovering:Full test suite passes (1596 tests, only pre-existing
fh-ref-leak.tfailures).