access(2) using effective uid instead of real one?

Nicolas Thery nthery at
Mon Aug 10 15:18:58 PDT 2009

2009/8/11 Alex <ahornung at>:
> As far as I can see it should be trivial to change it touse the real
> uid in vop_helper_access. Just change the references to cr_uid and
> cr_gid to cr_ruid and cr_rgid.
> If this is how it should be or shouldn't... I don't know.

I reckon that's one possibility.

Alternatively, the credentials passed to VOP_ACCESS() can be changed
as shown in the patch below.  Doing it this way simplifies the
incoming implementation of faccessat(2) which can check either the
effective or real uid/gid.

diff --git a/sys/kern/vfs_syscalls.c b/sys/kern/vfs_syscalls.c
index 0c723e4..12d3b53 100644
--- a/sys/kern/vfs_syscalls.c
+++ b/sys/kern/vfs_syscalls.c
@@ -2318,8 +2318,16 @@ int
 kern_access(struct nlookupdata *nd, int aflags)
 	struct vnode *vp;
+	struct ucred *cr;
 	int error, flags;

+	/*
+	 * Perform check with real uid/gid
+	 */
+	cr = cratom(&nd->nl_cred);
+	cr->cr_uid = cr->cr_ruid;
+	cr->cr_groups[0] = cr->cr_rgid;
 	if ((error = nlookup(nd)) != 0)
 		return (error);

More information about the Kernel mailing list