From owner-freebsd-hackers Sat Mar 31 9: 2:53 2001 Delivered-To: freebsd-hackers@freebsd.org Received: from mail0.bna.bellsouth.net (mail0.bna.bellsouth.net [205.152.150.12]) by hub.freebsd.org (Postfix) with ESMTP id 9559637B719 for ; Sat, 31 Mar 2001 09:02:50 -0800 (PST) (envelope-from roundeye@roundeye.net) Received: from mail.roundeye.net (adsl-78-144-96.bna.bellsouth.net [216.78.144.96]) by mail0.bna.bellsouth.net (3.3.5alt/0.75.2) with ESMTP id MAA27911; Sat, 31 Mar 2001 12:02:49 -0500 (EST) Received: (from rick@localhost) by mail.roundeye.net (8.10.1/8.9.3) id f2VH2mL29305; Sat, 31 Mar 2001 11:02:48 -0600 Date: Sat, 31 Mar 2001 11:02:48 -0600 From: Rick Bradley To: Bill Moran Cc: freebsd-hackers@FreeBSD.ORG Subject: Re: Security problems with access(2)? Message-ID: <20010331110248.A28931@negwo.roundeye.net> References: <3AC60925.7CF191FA@iowna.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3AC60925.7CF191FA@iowna.com>; from wmoran@iowna.com on Sat, Mar 31, 2001 at 11:43:17AM -0500 Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG * Bill Moran (wmoran@iowna.com) [010331 10:48]: [...] > Does anyone have a pointer to more detailed information on the potential > security hole in access()? I've got a bit more research to do on this, > but I'd appreciate any pointers to speed me along. I'd say they docs are referring to the potential race condition: - Program calls access() to see if user has authority to open a file and gets an affirmative result - User swaps file with another file (say a link to the password file) - Program calls open() on the file, which has been replaced since the call to access() If the program is running with more privileges than the user this is a truck-sized hole (or at least SUV-sized). Rick -- Rick Bradley / http://www.roundeye.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message