From owner-freebsd-questions Sat Mar 31 14:28:40 2001 Delivered-To: freebsd-questions@freebsd.org Received: from clmboh1-smtp3.columbus.rr.com (clmboh1-smtp3.columbus.rr.com [65.24.0.112]) by hub.freebsd.org (Postfix) with ESMTP id 4243337B718 for ; Sat, 31 Mar 2001 14:28:37 -0800 (PST) (envelope-from wmoran@iowna.com) Received: from iowna.com (dhcp065-024-023-232.columbus.rr.com [65.24.23.232]) by clmboh1-smtp3.columbus.rr.com (8.11.2/8.11.2) with ESMTP id f2VMPow28221; Sat, 31 Mar 2001 17:25:51 -0500 (EST) Message-ID: <3AC668E1.341AE7BA@iowna.com> Date: Sat, 31 Mar 2001 18:31:45 -0500 From: Bill Moran X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.3-RC i386) X-Accept-Language: en MIME-Version: 1.0 To: Mike Meyer Cc: questions@freebsd.org Subject: Re: access() system call References: <15046.13882.845275.101113@guru.mired.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Mike Meyer wrote: > > Bill Moran types: > > This may be a question for -hackers, but I'll try here first. > > > > In the man page for the access(2) syscall, it states "access() is a > > potential security hole and should never be used." > > > > I have 3 questions regarding this: > > > > 1. What should I use instead? > > As others have indicated, stat. Agreed. > > 2. Is there any more information on why access() is such a terrible > > security hole? > > I'd say the following quote from the man page pretty much covers it: > > Even if a process has appropriate privileges and indicates success for > X_OK, the file may not actually have execute permission bits set. Like- > wise for R_OK and W_OK. Unfortunatley, that's a little ambiguous (I didn't have a clue what it was talking about until someone pointed out the race condition to me) I would recommend something more like: "access() can produce a race condition between the time access() is called and subsequent attempts to actually access the file. For this reason, it is not generally safe to use access() to test permissions." > One of the common uses for access is to check the privileges of the > real user in a program that has enhanced it's privileges via set?id. > Since access can get this wrong, trusting it is a security hole. You > have to either check things yourself via stat (and don't forget to > check all the directories along the path as well), or surrender the > enhanced privileges before attempting the operation you're authorizing > with access. If you're not using enhanced privileges, then this isn't > a problem - just use access, and be prepared for things to fail. In 99.9% of the cases, you are correct. However, I seem to have a situation that includes the .1% See the other posting for a description of it, and feel free to comment. > > 3. Does not access(1) use access(2)? If so, that would make access(1) a > > security problem. Which is not documented in the man page (or anywhere > > else that I can find) > > I'm not sure why it's relevant, but the sources to everything are > available. It's not ... now that I know why access() presents a security problem. -Bill To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message