From owner-freebsd-security  Fri Oct 11  2:36:58 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 3046E37B401
	for <FreeBSD-security@FreeBSD.ORG>; Fri, 11 Oct 2002 02:36:56 -0700 (PDT)
Received: from HAL9000.homeunix.com (12-232-220-15.client.attbi.com [12.232.220.15])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 8B5A243EC2
	for <FreeBSD-security@FreeBSD.ORG>; Fri, 11 Oct 2002 02:36:55 -0700 (PDT)
	(envelope-from dschultz@uclink.Berkeley.EDU)
Received: from HAL9000.homeunix.com (localhost [127.0.0.1])
	by HAL9000.homeunix.com (8.12.6/8.12.5) with ESMTP id g9B9ajBY015799;
	Fri, 11 Oct 2002 02:36:45 -0700 (PDT)
	(envelope-from dschultz@uclink.Berkeley.EDU)
Received: (from das@localhost)
	by HAL9000.homeunix.com (8.12.6/8.12.5/Submit) id g9B9aiab015798;
	Fri, 11 Oct 2002 02:36:44 -0700 (PDT)
	(envelope-from dschultz@uclink.Berkeley.EDU)
Date: Fri, 11 Oct 2002 02:36:44 -0700
From: David Schultz <dschultz@uclink.Berkeley.EDU>
To: Bruce Evans <bde@zeta.org.au>
Cc: Peter Jeremy <peter.jeremy@alcatel.com.au>,
	The Anarcat <anarcat@anarcat.ath.cx>,
	FreeBSD Security Issues <FreeBSD-security@FreeBSD.ORG>
Subject: Re: access() is a security hole?
Message-ID: <20021011093644.GA15563@HAL9000.homeunix.com>
Mail-Followup-To: Bruce Evans <bde@zeta.org.au>,
	Peter Jeremy <peter.jeremy@alcatel.com.au>,
	The Anarcat <anarcat@anarcat.ath.cx>,
	FreeBSD Security Issues <FreeBSD-security@FreeBSD.ORG>
References: <20021010193137.GA13547@HAL9000.homeunix.com> <20021011185423.B12227-100000@gamplex.bde.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20021011185423.B12227-100000@gamplex.bde.org>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Thus spake Bruce Evans <bde@zeta.org.au>:
> No, it was designed to be useful to setuid programs.  Whether it
> actually is useful is arguable.  From the V7 manual:
> 
>     "The user and group IDs with respect to which permission is checked
>     are the real UID and GID of the process, so that this call is useful
>     to set-UID programs".
> 
> Setuid programs should only use access() to check whether they will
> have permission after they set[ug]id() to the real [ug]id.  Non-setuid
> programs mostly don't need such checks.  They can just try the operation.

I don't really see how it's arguable, given that you can't avoid a
race between time of use and time of access check.  Using it to
check for permission is inherently insecure.

And...err...I believe Version 7 shipped with a version of mail(1)
that allowed any user to write arbitrary files to other users'
home directories.  While it may be a good source of information on
the original /intent/ of the access(2) syscall, it certainly isn't
a good reference on computer security.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message