From owner-freebsd-hackers Sat Mar 31 13:14:35 2001 Delivered-To: freebsd-hackers@freebsd.org Received: from maxim.gbch.net (gw.gbch.net [203.24.22.66]) by hub.freebsd.org (Postfix) with SMTP id 3373437B71D for ; Sat, 31 Mar 2001 13:14:28 -0800 (PST) (envelope-from gjb@gbch.net) Received: (qmail 85141 invoked by uid 1001); 1 Apr 2001 07:14:23 +1000 Message-ID: X-Posted-By: GJB-Post 2.13 09-Feb-2001 X-Operating-System: FreeBSD 4.2-RELEASE i386 X-Location: Brisbane, Australia; 27.49841S 152.98439E X-URL: http://www.gbch.net/gjb.html X-Image-URL: http://www.gbch.net/gjb/gjb-auug048.gif X-GPG-Fingerprint: EBB2 2A92 A79D 1533 AC00 3C46 5D83 B6FB 4B04 B7D6 X-PGP-Public-Keys: http://www.gbch.net/keys.html Date: Sun, 01 Apr 2001 07:14:23 +1000 From: Greg Black To: Bill Moran Cc: freebsd-hackers@FreeBSD.ORG Subject: Re: Security problems with access(2)? References: <3AC644B1.1BB56BB3@iowna.com> In-reply-to: <3AC644B1.1BB56BB3@iowna.com> of Sat, 31 Mar 2001 15:57:21 EST Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Bill Moran wrote: | Thanks for the additional explanation. It has done a number of things | for me, one of which is convince me that (for my application) the use of | access() is not a security problem. You're almost certainly wrong in that conclusion; and even if you're not wrong now there'll come a day when you re-use that code or extend that program without thinking about the effects of the access() calls in it and then you'll shoot yourself in the foot. If you want to know if your process can open a file, just call open() or fopen() and deal with errors appropriately. Of course, if there is a real /reason/ that you have found for using access() in spite of everything you have been told, that might make a difference; but you have never given us that reason and so we can't comment on it. I know that every time when I was a new Unix programmer and was tempted to use access(), a bit of thought (or some guidance from a more experienced colleague) showed me that I did not need access(). | I'm going to put together a suggestion for the doc team on this. I think | it can probably be explained a little better in the man page. The | current message is a little harsher than needed (I think) That message has been there for many years and is quite correct. There are interfaces that are in the system for historical reasons, but which should not be used by new programs; access() is one of those. There is only one reason to use access() and that's to discover if a file is accessible. Because of the race condition and the fact that access() tells lies to setuid and setgid programs, it is both dangerous and useless unless used with such care that any benefits it provides are lost in the noise. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message