From owner-freebsd-security  Tue Oct  8 12:28:28 2002
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 1D9F737B401
	for <FreeBSD-security@freebsd.org>; Tue,  8 Oct 2002 12:28:24 -0700 (PDT)
Received: from dire.bris.ac.uk (dire.bris.ac.uk [137.222.10.60])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 4395543E6A
	for <FreeBSD-security@freebsd.org>; Tue,  8 Oct 2002 12:28:23 -0700 (PDT)
	(envelope-from Jan.Grant@bristol.ac.uk)
Received: from mail.ilrt.bris.ac.uk by dire.bris.ac.uk with SMTP-PRIV 
          with ESMTP; Tue, 8 Oct 2002 20:28:12 +0100
Received: from cmjg (helo=localhost)	by mail.ilrt.bris.ac.uk 
          with local-esmtp (Exim 3.16 #1)	id 17yzz2-0002xm-00;
          Tue, 08 Oct 2002 20:25:32 +0100
Date: Tue, 8 Oct 2002 20:25:32 +0100 (BST)
From: Jan Grant <Jan.Grant@bristol.ac.uk>
X-X-Sender: cmjg@mail.ilrt.bris.ac.uk
To: The Anarcat <anarcat@anarcat.ath.cx>
Cc: FreeBSD Security Issues <FreeBSD-security@FreeBSD.ORG>
Subject: Re: access() is a security hole?
In-Reply-To: <20021008183227.GC309@lenny.anarcat.ath.cx>
Message-ID: <Pine.GSO.4.44.0210082024200.11104-100000@mail.ilrt.bris.ac.uk>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Tue, 8 Oct 2002, The Anarcat wrote:

> The access(2) manpage mentions an obscure security hole in
> access(2). How so?
>
> "
> CAVEAT
>      Access() is a potential security hole and should never be used.
> "
>
> This seems to have been part of the manpage forever, or so to speak,
> so I really wonder what it's talking about. :)

Race conditions. Rather than using access, the idea is presumably that
you drop privs and try to actually access the object, getting a file
handle in the process.

Canonical counterexample, IIRC, is samba.


-- 
jan grant, ILRT, University of Bristol. http://www.ilrt.bris.ac.uk/
Tel +44(0)117 9287088 Fax +44 (0)117 9287112 http://ioctl.org/jan/
Ever see something and think, "I've gotta leverage me some of that?"
Odds are, you were looking at a synergy and didn't even know it.


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message