From: Mike Yuan <me@yhndnzj.com>
Date: Tue, 5 Mar 2024 14:25:44 +0000 (+0800)
Subject: tmpfiles: do 'X' bit check in an ACL-aware manner
X-Git-Tag: v256-rc1~609^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=29a438e764cbfdddd43e175490e2d8c8eb21b79e;p=thirdparty%2Fsystemd.git

tmpfiles: do 'X' bit check in an ACL-aware manner

Follow-up for 26d98cdd78cb5283f5771bd5866997acc494b067

I.e. stat() cannot be used here.

Also, before this commit, the 'X' is only applied if
the owner has execute bit set. Now it takes group and
other into consideration too. setfacl(1) also has
the same behavior.
---

diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c
index 0dd890958c6..ede5ca8a964 100644
--- a/src/tmpfiles/tmpfiles.c
+++ b/src/tmpfiles/tmpfiles.c
@@ -1275,33 +1275,43 @@ static int parse_acl_cond_exec(
         assert(ret);
 
         if (!S_ISDIR(st->st_mode)) {
-                has_exec = st->st_mode & S_IXUSR;
+                _cleanup_(acl_freep) acl_t old = NULL;
 
-                if (!has_exec && append) {
-                        _cleanup_(acl_freep) acl_t old = NULL;
+                old = acl_get_file(path, ACL_TYPE_ACCESS);
+                if (!old)
+                        return -errno;
+
+                has_exec = false;
+
+                for (r = acl_get_entry(old, ACL_FIRST_ENTRY, &entry);
+                     r > 0;
+                     r = acl_get_entry(old, ACL_NEXT_ENTRY, &entry)) {
 
-                        old = acl_get_file(path, ACL_TYPE_ACCESS);
-                        if (!old)
+                        acl_tag_t tag;
+
+                        if (acl_get_tag_type(entry, &tag) < 0)
                                 return -errno;
 
-                        for (r = acl_get_entry(old, ACL_FIRST_ENTRY, &entry);
-                             r > 0;
-                             r = acl_get_entry(old, ACL_NEXT_ENTRY, &entry)) {
+                        if (tag == ACL_MASK)
+                                continue;
 
-                                if (acl_get_permset(entry, &permset) < 0)
-                                        return -errno;
+                        /* If not appending, skip ACL definitions */
+                        if (!append && IN_SET(tag, ACL_USER, ACL_GROUP))
+                                continue;
 
-                                r = acl_get_perm(permset, ACL_EXECUTE);
-                                if (r < 0)
-                                        return -errno;
-                                if (r > 0) {
-                                        has_exec = true;
-                                        break;
-                                }
-                        }
+                        if (acl_get_permset(entry, &permset) < 0)
+                                return -errno;
+
+                        r = acl_get_perm(permset, ACL_EXECUTE);
                         if (r < 0)
                                 return -errno;
+                        if (r > 0) {
+                                has_exec = true;
+                                break;
+                        }
                 }
+                if (r < 0)
+                        return -errno;
 
                 /* Check if we're about to set the execute bit in acl_access */
                 if (!has_exec && access) {