From owner-freebsd-security  Fri Oct 11  9:56:29 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 2755F37B401
	for <security@FreeBSD.ORG>; Fri, 11 Oct 2002 09:56:27 -0700 (PDT)
Received: from 042.dsl6660142.ftth.surewest.net (042.dsl6660142.ftth.surewest.net [66.60.142.42])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 9393B43E9C
	for <security@FreeBSD.ORG>; Fri, 11 Oct 2002 09:56:26 -0700 (PDT)
	(envelope-from anguiano@codesourcery.com)
Received: (from anguiano@localhost)
	by 042.dsl6660142.ftth.surewest.net (8.11.6/8.11.6) id g9BGuOY09852;
	Fri, 11 Oct 2002 09:56:24 -0700
To: benjamin@seattlefenix.net
Cc: Chris BeHanna <behanna@zbzoom.net>,
	FreeBSD Security <security@FreeBSD.ORG>
Subject: Re: access() is a security hole?
References: <20021011094935.I86274-100000@topperwein.pennasoft.com>
	<m3r8exszf8.fsf@mordack.codesourcery.com>
	<20021011164805.GA27132@surreal.seattlefenix.net>
From: Ricardo Anguiano <anguiano@codesourcery.com>
In-Reply-To: <20021011164805.GA27132@surreal.seattlefenix.net>
Date: 11 Oct 2002 09:56:24 -0700
Message-ID: <m3k7koud6v.fsf@mordack.codesourcery.com>
Lines: 35
User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.2
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Benjamin Krueger <benjamin@seattlefenix.net> writes:

> * Ricardo Anguiano (anguiano@codesourcery.com) [021011 09:39]:
> > Chris BeHanna <behanna@zbzoom.net> writes:
> > 
> > > On Fri, 11 Oct 2002, Bruce Evans wrote:
> > > > Setuid programs should only use access() to check whether they will
> > > > have permission after they set[ug]id() to the real [ug]id.  Non-setuid
> > > > programs mostly don't need such checks.  They can just try the operation.
> > > 
> > >     Perhaps the way to avoid the race is to open the file, lock it,
> > > and *then* call access(), then close the file or proceed based upon
> > > the result.
> > 
> > What's wrong with opening the file, then using fstat to check the
> > properties of the file associated with the file descriptor?
> > 
> > -- 
> > Ricardo Anguiano
> > CodeSourcery, LLC
> 
> And if you don't have sufficient permission to open the file?

IMHO, then there was no point in making the access(2) call.  The
problem exists when the process is running with elevated privileges.

AFAIK, open(2) does not fail due to permission problems when run as
root.  Thus, the need to check for the invoking user's permission to
open the file.

PS: Chris: postmaster@telstraclear.co.nz says you don't exist.

-- 
Ricardo Anguiano
CodeSourcery, LLC

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message