[Gambas-user] Properties of the Stat class (gb) -

Tobias Boege taboege at gmail.com
Tue Jun 12 13:53:28 CEST 2018 

On Tue, 12 Jun 2018, Hans Lehmann wrote:
> Hello,
> 

Please create a new thread for a new topic instead of replying to an
existing one. Your message shows up in the thread about "unsigned int
datatype for external function" but it has nothing to do with that.

> I'm experimenting with the properties of the Stat class (gb) for another
> chapter in the Gambas book.
> 
> First, a temporary file with a random file name is created in all three
> cases.
> Then the owner and the group will be changed with the instructions Chown and
> Chgrp.
> Afterwards, different file rights are assigned in three cases.
> Finally, the file properties are read out and displayed with a Stat object
> (FileInfo = Stat(sFilePath)) and Access(path [, mode ] ).
> 
> Source code section:
> 
> sRandomFileName = SetRandomFileName()
> sFilePath = Temp(sRandomFileName)
> ...
> Shell Subst$("touch &1; echo 'ZEILE 1\nZEILE 2' > &1", sFilePath) Wait

You definitely shouldn't show code like this in the book. Substituting
a string into a shell command with just Subst$() creates an injection
vulnerability [1]. In *this* case, it is acceptable, since we can (can we?)
assume Temp$() to return a safe path, but I'm afraid a newbie might look
at this and think it's fine to substitute paths into SHELL.

Gambas has a function named Shell$() [2], which escapes a string so that
it can safely be put into a SHELL command.

Of course, you could also avoid the overhead of SHELL altogether,
by just doing File.Save(sFilePath, "some data").

In that spirit, in SetRandomFileName(), you don't have to ask `openssl`
to give you random bytes. Gambas' Hex$(Rand(0,2^32-1)) works just fine.

> Chown sFilePath To User.Name
> Chgrp sFilePath To sGroup
> 
> Three results (gambas program and console):
> 
> (1)
> Chmod sFilePath To "rwxrw-r--"
> Path = /tmp/gambas.1000/5750/f4ec9844.tmp
> File-Type (Integer) = 1
> File-Type = Regular file
> Permissions (Symbolic notation) = rwxrw-r--
> File-Modus (Numeric Notation)   = 764
> Sticky-Bit set? = False
> SetUID set? = False
> SetGID set? = False
> 
> hans at mint-183 ~ $ stat -c "%a %A" /tmp/gambas.1000/5750/f4ec9844.tmp
> 764 -rwxrw-r--
> 
> ------------------------------------------------------------------------
> 
> (2)
> Chmod sFilePath To "rwSrwSr-T"
> Path = /tmp/gambas.1000/5180/161632d2.tmp
> File-Type (Integer) = 1
> File-Type = Regular file
> Permissions (Symbolic notation) = rwSrwSr-T
> File-Modus (Numeric Notation)   = 7664
> Sticky-Bit set? = True
> SetUID set? = True
> SetGID set? = True
> 
> hans at mint-183 ~ $ stat -c "%a %A" /tmp/gambas.1000/5180/161632d2.tmp
> 7664 -rwSrwSr-T
> 
> ------------------------------------------------------------------------
> 
> (3)
> Chmod sFilePath To "rwsrwsrwt"
> Path = /tmp/gambas.1000/5829/fb60cd7b.tmp
> File-Type (Integer) = 1
> File-Type = Regular file
> Permissions (Symbolic notation) = rw-rw-rw-
> File-Modus (Numeric Notation)   = 666
> Sticky-Bit set? = False
> SetUID set? = False
> SetGID set? = False
> 
> hans at mint-183 ~ $ stat -c "%a %A" /tmp/gambas.1000/5829/fb60cd7b.tmp
> 666 -rw-rw-rw-
> 
> In the first two cases, the values of the properties that were expected were
> obtained. The displayed file rights as string should have the same syntax as
> CHMOD in the documentation on http://gambaswiki.org/wiki/cat/mode It's not
> like that. Assigned rights: "rwsrwsrwt"; read: "rw-rw-rw-". Mistake?
> 
> The documentation contains the following information:
> 
> ... if there is an s or S at the 3rd position (owner), .... then the
> SetUID.bit is always set,
> ... if at the 6th position (group) an s or S stands, .... then the
> SetGID.bit is always set,
> ... if the 9th position (Other) is t or T, ... then the sticky bit is always
> set.
> 
> In the third case, however, there are three contradictions. It is indicated
> that neither the SetUID.Bit, SetGID.Bit nor the Sticky-Bit have been set. Is
> there an error here or am I wrong with my algorithms?
> 

The attached script is more comfortable (because less noisy) for reproducing
this behaviour. It's actually an off-by-one bug in the Gambas interpreter,
resulting in the 's' and 't' bits to be unrecognised. It's not your fault
and I fixed it in commit d44b4bd7f. Here is the "before and after":

  $ ./chmod-bug.gbs3  # before
  rw-r--r--  # default
  rwxrwSrwT  # applied "rwxrwSrwT"
  r--rwSrwT  # applied "r--r**rwt"
  rw-rwSrwT  # applied "rwsrwsrwt"
  $ ./chmod-bug.gbs3  # after d44b4bd7f
  rw-r--r--  # default
  rwxrwSrwT  # applied "rwxrwSrwT"
  r--rwSrwt  # applied "r--r**rwt"
  rwsrwsrwt  # applied "rwsrwsrwt"

You see: 's' and 't' used to behave just as if they were unrecognised
characters (like the '*'). Now they work correctly.

Regards,
Tobi

[1] https://en.wikipedia.org/wiki/Code_injection#Shell_injection
[2] http://gambaswiki.org/wiki/lang/shell2

-- 
"There's an old saying: Don't change anything... ever!" -- Mr. Monk
-------------- next part --------------
#!/usr/bin/env gbs3

Public Sub Main()
  Dim s As String = Temp$()

  File.Save(s, "some data")
  Print Stat(s).Auth

  Chmod s To "rwxrwSrwT"
  Print Stat(s).Auth

  Chmod s To "r--r**rwt"
  Print Stat(s).Auth

  Chmod s To "rwsrwsrwt"
  Print Stat(s).Auth
End

More information about the User mailing list