From owner-freebsd-hackers Sat Mar 31 9:50: 7 2001 Delivered-To: freebsd-hackers@freebsd.org Received: from mr200.netcologne.de (mr200.netcologne.de [194.8.194.109]) by hub.freebsd.org (Postfix) with ESMTP id AEA5837B718 for ; Sat, 31 Mar 2001 09:50:03 -0800 (PST) (envelope-from pherman@frenchfries.net) Received: from husten.security.at12.de (dial-213-168-92-177.netcologne.de [213.168.92.177]) by mr200.netcologne.de (Mirapoint) with ESMTP id ADG10829; Sat, 31 Mar 2001 19:50:01 +0200 (CEST) Received: from localhost (localhost.security.at12.de [127.0.0.1]) by husten.security.at12.de (8.11.3/8.11.2) with ESMTP id f2VHnoP75442; Sat, 31 Mar 2001 19:49:50 +0200 (CEST) (envelope-from pherman@frenchfries.net) Date: Sat, 31 Mar 2001 19:49:48 +0200 (CEST) From: Paul Herman To: Warner Losh Cc: Bill Moran , Subject: Re: Security problems with access(2)? In-Reply-To: <200103311726.f2VHQIO13750@harmony.village.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sat, 31 Mar 2001, Warner Losh wrote: > In message <3AC60925.7CF191FA@iowna.com> Bill Moran writes: > : I'm a little confused here, if access() is such a serious security > : problem that it should _never_ be used, do we now have a major problem > : with a large amount of software in the base system? > > Access(2) can be raced. Shouldn't the stat(2) manpage then also carry the same warning that access(2) has (apparently dating back to 4.4BSD-Lite)? ...or maybe even a suggestion to use fstat(2) instead... -Paul. Index: stat.2 =================================================================== RCS file: /home/ncvs/src/lib/libc/sys/stat.2,v retrieving revision 1.16.2.3 diff -u -r1.16.2.3 stat.2 --- stat.2 2000/12/08 13:49:32 1.16.2.3 +++ stat.2 2001/03/31 17:44:27 @@ -273,6 +273,10 @@ .Fn fstat function calls are expected to conform to .St -p1003.1-90 . +.Sh CAVEAT +.Fn stat +is a potential security hole and +should never be used. .Sh HISTORY A .Fn stat To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message