Date: Fri, 11 Oct 2002 02:36:44 -0700 From: David Schultz <dschultz@uclink.Berkeley.EDU> To: Bruce Evans <bde@zeta.org.au> Cc: Peter Jeremy <peter.jeremy@alcatel.com.au>, The Anarcat <anarcat@anarcat.ath.cx>, FreeBSD Security Issues <FreeBSD-security@FreeBSD.ORG> Subject: Re: access() is a security hole? Message-ID: <20021011093644.GA15563@HAL9000.homeunix.com> In-Reply-To: <20021011185423.B12227-100000@gamplex.bde.org> References: <20021010193137.GA13547@HAL9000.homeunix.com> <20021011185423.B12227-100000@gamplex.bde.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Thus spake Bruce Evans <bde@zeta.org.au>: > No, it was designed to be useful to setuid programs. Whether it > actually is useful is arguable. From the V7 manual: > > "The user and group IDs with respect to which permission is checked > are the real UID and GID of the process, so that this call is useful > to set-UID programs". > > Setuid programs should only use access() to check whether they will > have permission after they set[ug]id() to the real [ug]id. Non-setuid > programs mostly don't need such checks. They can just try the operation. I don't really see how it's arguable, given that you can't avoid a race between time of use and time of access check. Using it to check for permission is inherently insecure. And...err...I believe Version 7 shipped with a version of mail(1) that allowed any user to write arbitrary files to other users' home directories. While it may be a good source of information on the original /intent/ of the access(2) syscall, it certainly isn't a good reference on computer security. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021011093644.GA15563>