From owner-freebsd-hackers Sat Mar 31 14:39:56 2001 Delivered-To: freebsd-hackers@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 1211F37B718 for ; Sat, 31 Mar 2001 14:39:53 -0800 (PST) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.1/8.11.1) with SMTP id f2VMdVh64010; Sat, 31 Mar 2001 17:39:31 -0500 (EST) (envelope-from robert@fledge.watson.org) Date: Sat, 31 Mar 2001 17:39:31 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org To: Greg Black Cc: Bill Moran , freebsd-hackers@FreeBSD.ORG Subject: Re: Security problems with access(2)? In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sun, 1 Apr 2001, Greg Black wrote: > There is only one reason to use access() and that's to discover if a > file is accessible. Because of the race condition and the fact that > access() tells lies to setuid and setgid programs, it is both dangerous > and useless unless used with such care that any benefits it provides are > lost in the noise. Actually, there are a number of legitimate reasons that a program might wish to determine the accessibility of a file. However, in my view access(2) is mis-specified. Really, I would like it to generate results based on the effective uid and gid of the process, not the real uid and gid, so it could allow applications to defer to kernel policy for accessibility when generating output for the user. However, instead it uses the real uid and gid in a manner likely to induce races. The scenario for access(2) that I have in mind would be for GUI's that want to display (for example), a read-only version of an icon. Deriving the read-only status from the results of stat() (and friends) means replicating the kernel protection policy in userland, which breaks for ACL-enabled, MAC, BSD file flags, capability, superuser, DTE, ... environments. I.e., the userland process cannot adequately determine its access rights to a file purely based on available output from stat(), and really shouldn't try. Unfortunately, access(2) does the wrong thing. :-) However, access(2) is defined in some or another spec, possibly SUS or POSIX. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message