From owner-freebsd-bugs Fri May 28 11:10: 6 1999 Delivered-To: freebsd-bugs@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 359D315353 for ; Fri, 28 May 1999 11:10:03 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id LAA55071; Fri, 28 May 1999 11:10:03 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: by hub.freebsd.org (Postfix, from userid 32767) id D86E3151E1; Fri, 28 May 1999 11:09:57 -0700 (PDT) Message-Id: <19990528180957.D86E3151E1@hub.freebsd.org> Date: Fri, 28 May 1999 11:09:57 -0700 (PDT) From: aron@cs.rice.edu To: freebsd-gnats-submit@freebsd.org X-Send-Pr-Version: www-1.0 Subject: kern/11915: access system call says file is readable when its not Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 11915 >Category: kern >Synopsis: access system call says file is readable when its not >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri May 28 11:10:01 PDT 1999 >Closed-Date: >Last-Modified: >Originator: Mohit Aron >Release: FreeBSD-3.2 Release >Organization: Rice University >Environment: FreeBSD luzern.cs.rice.edu 3.2-RELEASE FreeBSD 3.2-RELEASE #1: Wed May 26 18:02:08 CDT 1999 aron@luzern.cs.rice.edu:/usr/src/sys/compile/LUZERN i386 >Description: If a user has a file that is owned and readable only by him, and he invokes a setuid executable (owned by some other user) that tries to read this file, then the access() system call says that the file is readable but when the file is opened for reading using fopen(), it fails. >How-To-Repeat: 1) Create a file "foo" that's owned and is readable only by the current user (say X). 2) Compile the following C program and make the executable's owner to be some other user (say Y) and turn on the setuid bit on the executable. ----------------------------- Cut Here --------------------------------- #include #include main() { FILE *fp; char *fname = "foo"; if (!access(fname, R_OK)) { printf("access successful\n"); fp = fopen(fname, "r"); if (fp == NULL) { printf("but fopen failed\n"); } } return 0; } ----------------------------- Cut Here --------------------------------- 3) Finally run the executable obtained above as user X. Notice how access is successful but an fopen() fails. >Fix: >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message