Date: Sat, 31 Mar 2001 18:31:45 -0500 From: Bill Moran <wmoran@iowna.com> To: Mike Meyer <mwm@mired.org> Cc: questions@freebsd.org Subject: Re: access() system call Message-ID: <3AC668E1.341AE7BA@iowna.com> References: <15046.13882.845275.101113@guru.mired.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Mike Meyer wrote: > > Bill Moran <wmoran@iowna.com> types: > > This may be a question for -hackers, but I'll try here first. > > > > In the man page for the access(2) syscall, it states "access() is a > > potential security hole and should never be used." > > > > I have 3 questions regarding this: > > > > 1. What should I use instead? > > As others have indicated, stat. Agreed. > > 2. Is there any more information on why access() is such a terrible > > security hole? > > I'd say the following quote from the man page pretty much covers it: > > Even if a process has appropriate privileges and indicates success for > X_OK, the file may not actually have execute permission bits set. Like- > wise for R_OK and W_OK. Unfortunatley, that's a little ambiguous (I didn't have a clue what it was talking about until someone pointed out the race condition to me) I would recommend something more like: "access() can produce a race condition between the time access() is called and subsequent attempts to actually access the file. For this reason, it is not generally safe to use access() to test permissions." > One of the common uses for access is to check the privileges of the > real user in a program that has enhanced it's privileges via set?id. > Since access can get this wrong, trusting it is a security hole. You > have to either check things yourself via stat (and don't forget to > check all the directories along the path as well), or surrender the > enhanced privileges before attempting the operation you're authorizing > with access. If you're not using enhanced privileges, then this isn't > a problem - just use access, and be prepared for things to fail. In 99.9% of the cases, you are correct. However, I seem to have a situation that includes the .1% See the other posting for a description of it, and feel free to comment. > > 3. Does not access(1) use access(2)? If so, that would make access(1) a > > security problem. Which is not documented in the man page (or anywhere > > else that I can find) > > I'm not sure why it's relevant, but the sources to everything are > available. It's not ... now that I know why access() presents a security problem. -Bill To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3AC668E1.341AE7BA>