Section 4.7. access Function

4.7. access Function

As we described earlier, when we open a file, the kernel performs its access tests based on the effective user and group IDs. There are times when a process wants to test accessibility based on the real user and group IDs. This is useful when a process is running as someone else, using either the set-user-ID or the set-group-ID feature. Even though a process might be set-user-ID to root, it could still want to verify that the real user can access a given file. The access function bases its tests on the real user and group IDs. (Replace effective with real in the four steps at the end of Section 4.5.)

 #include <unistd.h> int access(const char *pathname, int mode); 

The mode is the bitwise OR of any of the constants shown in Figure 4.7.

Example

Figure 4.8 shows the use of the access function.

Here is a sample session with this program:

          $ ls -l a.out          -rwxrwxr-x 1 sar         15945 Nov 30 12:10 a.out          $ ./a.out a.out          read access OK          open for reading OK          $ ls -l /etc/shadow          -r-------- 1 root         1315 Jul 17 2002 /etc/shadow          $ ./a.out /etc/shadow          access error for /etc/shadow: Permission denied          open error for /etc/shadow: Permission denied          $ su                        become superuser          Password:                  enter superuser password          # chown root a.out         change file's user ID to root          # chmod u+s a.out          and turn on set-user-ID bit          # ls -l a.out              check owner and SUID bit          -rwsrwxr-x 1 root     15945 Nov 30 12:10 a.out          # exit                     go back to normal user          $ ./a.out /etc/shadow          access error for /etc/shadow: Permission denied          open for reading OK 

In this example, the set-user-ID program can determine that the real user cannot normally read the file, even though the open function will succeed.

Figure 4.8. Example of access function

#include "apue.h" #include <fcntl.h> int main(int argc, char *argv[]) {     if (argc != 2)         err_quit("usage: a.out <pathname>");     if (access(argv[1], R_OK) < 0)         err_ret("access error for %s", argv[1]);     else         printf("read access OK\n");     if (open(argv[1], O_RDONLY) < 0)         err_ret("open error for %s", argv[1]);     else         printf("open for reading OK\n");     exit(0); } 

In the preceding example and in Chapter 8, we'll sometimes switch to become the superuser, to demonstrate how something works. If you're on a multiuser system and do not have superuser permission, you won't be able to duplicate these examples completely.