Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 15 Oct 2002 04:52:07 -0700
From:      Benjamin Krueger <benjamin@seattleFenix.net>
To:        Benjamin Krueger <benjamin@seattleFenix.net>
Cc:        Ricardo Anguiano <anguiano@codesourcery.com>, Chris BeHanna <behanna@zbzoom.net>, FreeBSD Security <security@FreeBSD.ORG>
Subject:   Re: access() is a security hole?
Message-ID:  <20021015115207.GB15573@surreal.seattlefenix.net>
In-Reply-To: <20021011164805.GA27132@surreal.seattlefenix.net>
References:  <20021011094935.I86274-100000@topperwein.pennasoft.com> <m3r8exszf8.fsf@mordack.codesourcery.com> <20021011164805.GA27132@surreal.seattlefenix.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
* Benjamin Krueger (benjamin@seattleFenix.net) [021015 04:39]:
> * Ricardo Anguiano (anguiano@codesourcery.com) [021011 09:39]:
> > Chris BeHanna <behanna@zbzoom.net> writes:
> > 
> > > On Fri, 11 Oct 2002, Bruce Evans wrote:
> > > > Setuid programs should only use access() to check whether they will
> > > > have permission after they set[ug]id() to the real [ug]id.  Non-setuid
> > > > programs mostly don't need such checks.  They can just try the operation.
> > > 
> > >     Perhaps the way to avoid the race is to open the file, lock it,
> > > and *then* call access(), then close the file or proceed based upon
> > > the result.
> > 
> > What's wrong with opening the file, then using fstat to check the
> > properties of the file associated with the file descriptor?
> > 
> > -- 
> > Ricardo Anguiano
> > CodeSourcery, LLC
> 
> And if you don't have sufficient permission to open the file?

Please ignore this. It was sent friday but just fell out of a stuffed 
up mail server.

-- 
Benjamin Krueger
----------------------------------------------------------------
Send mail w/ subject 'send public key' or query for (0x251A4B18)
Fingerprint = A642 F299 C1C1 C828 F186  A851 CFF0 7711 251A 4B18

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021015115207.GB15573>