From owner-freebsd-questions Thu Jul 2 17:23:48 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id RAA05050 for freebsd-questions-outgoing; Thu, 2 Jul 1998 17:23:48 -0700 (PDT) (envelope-from owner-freebsd-questions@FreeBSD.ORG) Received: from pobox.com (skaro-2-140.mdm.mke.execpc.com [169.207.139.206]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id RAA04793 for ; Thu, 2 Jul 1998 17:22:33 -0700 (PDT) (envelope-from hamilton@pobox.com) Message-Id: <199807030022.RAA04793@hub.freebsd.org> Received: (qmail 12641 invoked from network); 2 Jul 1998 19:20:55 -0500 Received: from localhost (HELO pobox.com) (127.0.0.1) by localhost with SMTP; 2 Jul 1998 19:20:55 -0500 To: joelh@gnu.org cc: freebsd-questions@FreeBSD.ORG Subject: Re: access(2) security issues In-reply-to: Your message of "Thu, 02 Jul 1998 16:34:17 CDT." <199807022134.QAA06871@detlev.UUCP> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 02 Jul 1998 19:20:55 -0500 From: Jon Hamilton Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG In message <199807022134.QAA06871@detlev.UUCP>, Joel Ray Holveck wrote: } I see in access(2): } } CAVEAT } Access() is a potential security hole and should never be used. } } I'm presently changing the file operations on a program that uses } access, and one module operates suid root. What do I need to concern } myself with? I didn't see anything in the CVS logs or mailing } archives. It's not a problem with access() per se, but the information you get back from it is largely useless, unless you just want to print out a diagnostic or somesuch. The problem with trusting access() is that there's a race condition between the time it tells you what you want to hear, and the time you wander out and try to open() the file (for example). Since you have to check the return status on open() anyway, you're better off just trying to open() the file in the first place, and base your error recovery on the results of that. -- Jon Hamilton hamilton@pobox.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message