From owner-freebsd-security  Thu Oct 10 12:31:58 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 356A137B401
	for <FreeBSD-security@FreeBSD.ORG>; Thu, 10 Oct 2002 12:31:56 -0700 (PDT)
Received: from HAL9000.homeunix.com (12-232-220-15.client.attbi.com [12.232.220.15])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 72B7043E4A
	for <FreeBSD-security@FreeBSD.ORG>; Thu, 10 Oct 2002 12:31:54 -0700 (PDT)
	(envelope-from dschultz@uclink.Berkeley.EDU)
Received: from HAL9000.homeunix.com (localhost [127.0.0.1])
	by HAL9000.homeunix.com (8.12.6/8.12.5) with ESMTP id g9AJVhBY013614;
	Thu, 10 Oct 2002 12:31:43 -0700 (PDT)
	(envelope-from dschultz@uclink.Berkeley.EDU)
Received: (from das@localhost)
	by HAL9000.homeunix.com (8.12.6/8.12.5/Submit) id g9AJVcB7013613;
	Thu, 10 Oct 2002 12:31:38 -0700 (PDT)
	(envelope-from dschultz@uclink.Berkeley.EDU)
Date: Thu, 10 Oct 2002 12:31:38 -0700
From: David Schultz <dschultz@uclink.Berkeley.EDU>
To: Peter Jeremy <peter.jeremy@alcatel.com.au>
Cc: The Anarcat <anarcat@anarcat.ath.cx>,
	FreeBSD Security Issues <FreeBSD-security@FreeBSD.ORG>
Subject: Re: access() is a security hole?
Message-ID: <20021010193137.GA13547@HAL9000.homeunix.com>
Mail-Followup-To: Peter Jeremy <peter.jeremy@alcatel.com.au>,
	The Anarcat <anarcat@anarcat.ath.cx>,
	FreeBSD Security Issues <FreeBSD-security@FreeBSD.ORG>
References: <20021008183227.GC309@lenny.anarcat.ath.cx> <Pine.GSO.4.44.0210082024200.11104-100000@mail.ilrt.bris.ac.uk> <20021008212335.GF309@lenny.anarcat.ath.cx> <20021008221046.GV495@gsmx07.alcatel.com.au>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20021008221046.GV495@gsmx07.alcatel.com.au>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Thus spake Peter Jeremy <peter.jeremy@alcatel.com.au>:
> On 2002-Oct-08 17:23:35 -0400, The Anarcat <anarcat@anarcat.ath.cx> wrote:
> >Also, this means that the stat() manpage should also contains a
> >similar section about its non-fd incarnations.
> 
> I disagree.  access(2) is specifically designed to allow setuid/setgid
> programs to validate access rights based on the real uid/gid - but is
> virtually impossible to use safely for this task because of the
> inherent race conditions.

No, access(2) is designed to allow NON-setuid programs to easily
do sanity checks without opening a file or device right away.
There's still a race condition, but it isn't typically a security
threat when all you're trying to do is prevent the user from
shooting himself in the foot.  To use access() in a setuid program
is usually an error.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message