misleading error message for SELinux denials

or, if you're not into the whole SELinux thing, here's a repro case just using chmod on debian:

  cd tmp
  mkdir d
  touch d/f
  chmod 000 d

  mksh -c /tmp/d/f
mksh: /tmp/d/f: not found

  bash -c /tmp/d/f
bash: /tmp/d/f: Permission denied

No.

When you do
    mksh -c /tmp/d/f
you ask mksh to find it as a command. The “not found” error message there is more general; for example, it also happens if the interpreter is not found:

    print '#!/nonexistent-int' >/tmp/ff
    chmod 755 /tmp/ff
    mksh -c /tmp/ff

(This even results in “No such file or directory”.)

When you ask mksh to read it as a script file, all is well:

    mksh /tmp/d/f

(This results in “Permission denied”.)

By that argument, would you argue that returning "Permission Denied" below is incorrect?

nnk@nnk0:~$ cd /tmp
nnk@nnk0:/tmp$ touch ./asdf
nnk@nnk0:/tmp$ mksh -c ./asdf
mksh: ./asdf: can't execute: Permission denied

I don't understand how "mksh -c /tmp/d/f" differs from "mksh -c ./asdf" by the logic above.

(FWIW, "Permission Denied" for both of these cases seems more correct to me)

Hmm. In the case Nick posted, it can “see” the file (find it) but not read it.

In the other case, an intermediate directory is not accessible.

This has been so since pdksh times, and I think some code later on checks for ENOENT, so just passing through the errno may introduce other problems.

The “not found” is a string in the shell anyway, not an errno. Perhaps changing it to something more encompassing would help?

In the SELinux case that Elliott pointed to in the initial bug report, mksh can also "see" the file (eg, stat() returns EACCES, indicating the file exists but security policy disallows stat() operations). Yet "not found" is emitted by mksh vs (the IMHO more correct) "Permission denied". The mksh code assumes any stat() failure is due to the file not existing vs other causes. Unfortunately, this error condition can only be replicated using one of the available Linux Mandatory Access Control systems such as SELinux, Smack, AppArmor, or Tomoyo.

Similarly, in the following scenerio, mksh can "see" the asdf command, but still returns "not found", when the command clearly exists but is malformed.

  nnk@nnk0:/tmp$ mkdir d
  nnk@nnk0:/tmp$ ln -s ../asdf d/asdf
  nnk@nnk0:/tmp$ ln -s d/asdf asdf
  nnk@nnk0:/tmp$ ls -la d/asdf asdf
  lrwxrwxrwx 1 nnk nnk 6 Feb 27 09:27 asdf -> d/asdf
  lrwxrwxrwx 1 nnk nnk 7 Feb 27 09:27 d/asdf -> ../asdf
  nnk@nnk0:/tmp$ mksh -c /tmp/asdf
  mksh: /tmp/asdf: not found

Bash provides a more accurate error message in this case:

  nnk@nnk0:/tmp$ bash -c /tmp/asdf
  bash: /tmp/asdf: Too many levels of symbolic links

This is particularly problematic for interactive shells, where the lack of accurate error messages inhibits end user understanding of the error conditions.

  nnk@nnk0:/tmp$ mksh
  $ /tmp/asdf
  mksh: /tmp/asdf: not found
  $ ls -la /tmp/asdf
  lrwxrwxrwx 1 nnk nnk 6 Feb 27 09:27 /tmp/asdf -> d/asdf
  $ mkdir d2
  $ touch d2/a2
  $ chmod 000 ./d2
  $ /tmp/d2/a2
  mksh: /tmp/d2/a2: not found

Can you elaborate on the statement that "passing through the errno may introduce other problems"? What other problems are you concerned about? The statement feels unactionable.

IMHO, changing "not found" to a more generic string, without other changes, would not improve end user understandability.

Thank you for your continued dialog on this issue.

Additionally, this behavior also causes problems where the security policy writer, for whatever reason, wants to allow a file to be executed but disallow stat() operations. This could occur, for example, in high sensitivity environments where leaking metadata (size, last update time, etc) about the file being executed could reveal other activity on the system. By assuming that stat() must always succeed before the file can be executed, such environments cannot create unstat()able executables and have mksh run the executable.

What do you think of “not found or inaccessible”? (I hope I spelt that right.)

stat() must always succeed, because we must check that the executable bits are set before accepting the file as command (if not for anything else, then because POSIX was changed to demand distinguishing $? between 126 and 127 for these cases).

Are you referring to Posix 1003.1 section "C.2.8.2 Exit Status for Commands"?

  Historical shells make the distinction between ‘‘utility not found’’ and
  ‘‘utility found but cannot execute’’ in their error messages. By specifying
  two seldomly used exit status values for these cases, 127 and 126 respectively,
  this gives an application the opportunity to make use of this distinction
  without having to parse an error message that would probably change from
  locale to locale. The command, env, nohup, and xargs utilities in the
  Shell and Utilities volume of IEEE Std 1003.1-2001 have also been specified to
  use this convention.

(I may be viewing an out of date version... my apologies if so)

A few comments:

1) Based on the above, POSIX also seems to require different error messages for "not found" and "found but cannot execute". The entire reason this bug exists is because mksh is failing to return different error messages when the executable exists but the stat() fails. The proposal from comment #8 seems to acknowledge this non-compliance, yet not address it.

2) The stat() is unnecessary for distinguishing between a 126 and 127 error status. Instead, a much simpler way is to just execve() the file, return 127 iff errno==ENOENT. I believe this is all Posix requires.

3) Manually checking permission bits is not an accurate indicator of whether the file can be executed or not, primarily due to LSMs.

4) Calling stat() unnecessarily inhibits certain use cases, specifically comment #7.

5) A failure of the stat() system call is not an accurate indicator of the exec()-ability of the file. The only way to determine if a file is executable is to execute it.

“5) A failure of the stat() system call is not an accurate indicator of the exec()-ability of the file. The only way to determine if a file is executable is to execute it.”

This is not generally true. We need to check for +x, and there was something with strange operating systems, *and* the shell does not only use the exec*() family syscalls but also “executes” a script by doing stuff itself.

I’m willing to compromise on the error message right now. Everything else needs more thought, and (probably) tomorrow will see a new mksh version.

I vaguely recall something about access() succeeding for file foo when foo.exe exists on some platforms, or the other way round, and that the modes are also not always correct. The manpage supports the latter…

     Even if a process has appropriate privileges and indicates success for
     X_OK, the file may not actually have execute permission bits set. Like-
     wise for R_OK and W_OK.

… but uses stronger language:

CAVEATS

     access() is a potential security hole and should never be used.

Ceterum censeo, a non-broken stat() is mandatory.

To be clear, the current implementation of using stat(), reading the permissions, then later exec()ing is subject to the same race conditions described in the access() man page. Just because stat() doesn't include these warnings in the man page shouldn't be interpreted that the current usage is race condition free.

In fact, if the code wants to be race condition free, the appropriate thing to do is to skip the access(X_OK) check *and* the stat() check, and just do the exec(). This is the solution I proposed in comment #10 bullet #5. Since you're raising security concerns, I assume you want to be race condition free?

As an alternative solution to deal with buggy or incomplete access() implementations, we could also consider making the "stat()" call conditional on the operating system. For Linux, in particular, access(X_OK) is known to be robust, so we can omit the stat() check on that operating system. I proposed a similar solution in https://bugs.launchpad.net/mksh/+bug/1817959 comment #6.

I changed the error message, as indicated.