From owner-freebsd-hackers Sat Mar 31 13:50:15 2001 Delivered-To: freebsd-hackers@freebsd.org Received: from clmboh1-smtp3.columbus.rr.com (clmboh1-smtp3.columbus.rr.com [65.24.0.112]) by hub.freebsd.org (Postfix) with ESMTP id 74B4037B71A for ; Sat, 31 Mar 2001 13:50:12 -0800 (PST) (envelope-from wmoran@iowna.com) Received: from iowna.com (dhcp065-024-023-232.columbus.rr.com [65.24.23.232]) by clmboh1-smtp3.columbus.rr.com (8.11.2/8.11.2) with ESMTP id f2VLlEw17223; Sat, 31 Mar 2001 16:47:16 -0500 (EST) Message-ID: <3AC65FD5.F91717BB@iowna.com> Date: Sat, 31 Mar 2001 17:53:09 -0500 From: Bill Moran X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.3-RC i386) X-Accept-Language: en MIME-Version: 1.0 To: Greg Black Cc: freebsd-hackers@FreeBSD.ORG Subject: Re: Security problems with access(2)? - off topic References: <3AC644B1.1BB56BB3@iowna.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Greg Black wrote: > > Bill Moran wrote: > > | Thanks for the additional explanation. It has done a number of things > | for me, one of which is convince me that (for my application) the use of > | access() is not a security problem. > > You're almost certainly wrong in that conclusion; and even if > you're not wrong now there'll come a day when you re-use that > code or extend that program without thinking about the effects > of the access() calls in it and then you'll shoot yourself in > the foot. If you want to know if your process can open a file, > just call open() or fopen() and deal with errors appropriately. > > Of course, if there is a real /reason/ that you have found for > using access() in spite of everything you have been told, that > might make a difference; but you have never given us that reason > and so we can't comment on it. I know that every time when I > was a new Unix programmer and was tempted to use access(), a bit > of thought (or some guidance from a more experienced colleague) > showed me that I did not need access(). Sorry ... didn't think anyone was interested, and it's off topic, but here it is in a nutshell: The client I'm working with is moving from a Novell server to a FreeBSD server using Samba. They're very unhappy with Samba's behaviour in only 1 respect: on the Novell server, files/directories that were not readible by the user did not appear in the directory listing. For legacy reasons, they have a single shared directory that contains hundreds of directories, most of which are not accessibly to the majority of groups/users on the system. Samba has no option for this that I can find, and I have not been able to produce this effect with manipulation of the filesystem permissions. So I dug into the source code and found that the code that produces a directory listing is relatively simple. It's simply a loop that iterates through all the files(directories) in a directory and presents them to the client. So, ignoring these files/directories is simply a matter of a test for access() at the beginning of the loop that does a "continue" if it fails on read access. So you see ... this is probably one of the few situations where access() is safe, since a mistake in this case does not provide any access the object (that's handled later, in a completely seperate block of code) If I'm wrong, please feel free to correct me. -Bill To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message