2009/8/11 Alex <ahornung@gmail.com>: > As far as I can see it should be trivial to change it touse the real > uid in vop_helper_access. Just change the references to cr_uid and > cr_gid to cr_ruid and cr_rgid. > If this is how it should be or shouldn't... I don't know. I reckon that's one possibility. Alternatively, the credentials passed to VOP_ACCESS() can be changed as shown in the patch below. Doing it this way simplifies the incoming implementation of faccessat(2) which can check either the effective or real uid/gid. diff --git a/sys/kern/vfs_syscalls.c b/sys/kern/vfs_syscalls.c index 0c723e4..12d3b53 100644 --- a/sys/kern/vfs_syscalls.c +++ b/sys/kern/vfs_syscalls.c @@ -2318,8 +2318,16 @@ int kern_access(struct nlookupdata *nd, int aflags) { struct vnode *vp; + struct ucred *cr; int error, flags; + /* + * Perform check with real uid/gid + */ + cr = cratom(&nd->nl_cred); + cr->cr_uid = cr->cr_ruid; + cr->cr_groups[0] = cr->cr_rgid; + if ((error = nlookup(nd)) != 0) return (error); retry: