From owner-freebsd-hackers Sat Mar 31 8:47:25 2001 Delivered-To: freebsd-hackers@freebsd.org Received: from clmboh1-smtp3.columbus.rr.com (clmboh1-smtp3.columbus.rr.com [65.24.0.112]) by hub.freebsd.org (Postfix) with ESMTP id D7EBB37B718 for ; Sat, 31 Mar 2001 08:47:22 -0800 (PST) (envelope-from wmoran@iowna.com) Received: from iowna.com (dhcp065-024-023-038.columbus.rr.com [65.24.23.38]) by clmboh1-smtp3.columbus.rr.com (8.11.2/8.11.2) with ESMTP id f2VGiaw09808 for ; Sat, 31 Mar 2001 11:44:37 -0500 (EST) Message-ID: <3AC60925.7CF191FA@iowna.com> Date: Sat, 31 Mar 2001 11:43:17 -0500 From: Bill Moran X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.3-RC i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-hackers@freebsd.org Subject: Security problems with access(2)? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I'm working on a quick little programming project for a client and ran across this in the man page for access(2) "Access() is a potential security hole and should never be used." Obviously, I could use stat() instead, but use of access() will make this project so simple it's not even funny. Since that message is rather brief, I went looking for some more information. In the source tree I found a number of programs that use access() - including tcsh, sendmail and perl. I'm a little confused here, if access() is such a serious security problem that it should _never_ be used, do we now have a major problem with a large amount of software in the base system? Does anyone have a pointer to more detailed information on the potential security hole in access()? I've got a bit more research to do on this, but I'd appreciate any pointers to speed me along. -Bill To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message