Date: Tue, 31 Jul 2001 14:43:45 +0400 From: Yar Tikhiy <yar@FreeBSD.ORG> To: Mike Barcroft <mike@FreeBSD.ORG> Cc: audit@FreeBSD.ORG Subject: Re: finger(1) & fingerd(8) Message-ID: <20010731144344.B30628@comp.chem.msu.su> In-Reply-To: <20010730144542.A92125@coffee.q9media.com>; from mike@FreeBSD.ORG on Mon, Jul 30, 2001 at 02:45:42PM -0400 References: <20010728155159.A35483@snark.rinet.ru> <20010728144554.C86837@coffee.q9media.com> <20010730212257.C26476@comp.chem.msu.su> <20010730144542.A92125@coffee.q9media.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jul 30, 2001 at 02:45:42PM -0400, Mike Barcroft wrote: > On Mon, Jul 30, 2001 at 09:22:57PM +0400, Yar Tikhiy wrote: > > On Sat, Jul 28, 2001 at 02:45:54PM -0400, Mike Barcroft wrote: > > > > > > [...] > > > > if (access(buf, F_OK) == 0) > > > > return 1; > > > [...] > > > > > > I know this isn't your code, but this should also probably use open(2) > > > as well. > > > > First, I must have missed something, but why is access(2) > > a bad thing at this particular point? > > There probably aren't any security problems with the use of access(2) > in this code. That is, I don't see any race conditions. But to my > understanding, use of access(2) is discouraged. From the access(2) > man page: > > CAVEAT > Access() is a potential security hole and should never be used. IMHO this caveat is akin to a memorable quote from an article on the Daemon News: "One of the differences between FreeBSD and NetBSD is that the former needs quoting parameter values in rc.conf, and the latter need not". I mean they both push people along the easiest, but thoughtless route. The actual problem about access(2) is not in programmer's unawareness of races, but in the syscall's design itself. It was intended to be a way to check a file against real user credentials instead of effective ones. And it turned out a Really Bad Way of doing that. Ugh, what I did was convinced myself that access(2) shouldn't be used, but the argument was not security, but the risk of getting access(2) obsolete one day, as it already happened to creat(2) :-) > > Second, open(2) can't be used as a drop-in replacement for access(.., > > F_OK) here because it can't tell permission errors on a directory from > > those on a file itself. IMHO stat(2) should be used here if the > > historical behaviour of finger(1) is to be preserved. > > I'm afraid I don't understand what you mean. How does > access(buf, F_OK) differ from open(buf, O_RDONLY) in terms of > permissions in this case? From the access(2) man page: > > All components of the pathname path are checked for access > permissions (including F_OK). Don't believe newspapers and manpages blindly ;-) Access(..., F_OK) returns 0 if a file can be seen, but can't be read. -- Yar To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010731144344.B30628>