Date: Sat, 31 Mar 2001 19:47:30 -0800 From: Alfred Perlstein <bright@wintelcom.net> To: Bill Moran <wmoran@iowna.com> Cc: Rick Bradley <roundeye@roundeye.net>, freebsd-hackers@FreeBSD.ORG Subject: Re: Security problems with access(2)? Message-ID: <20010331194729.J9431@fw.wintelcom.net> In-Reply-To: <3AC6129C.3E5BDC01@iowna.com>; from wmoran@iowna.com on Sat, Mar 31, 2001 at 12:23:40PM -0500 References: <3AC60925.7CF191FA@iowna.com> <20010331110248.A28931@negwo.roundeye.net> <3AC6129C.3E5BDC01@iowna.com>
next in thread | previous in thread | raw e-mail | index | archive | help
* Bill Moran <wmoran@iowna.com> [010331 09:28] wrote: > Rick Bradley wrote: > > > > * Bill Moran (wmoran@iowna.com) [010331 10:48]: > > [...] > > > Does anyone have a pointer to more detailed information on the potential > > > security hole in access()? I've got a bit more research to do on this, > > > but I'd appreciate any pointers to speed me along. > > > > I'd say they docs are referring to the potential race condition: > > > > - Program calls access() to see if user has authority to open > > a file and gets an affirmative result > > - User swaps file with another file (say a link to the password > > file) > > - Program calls open() on the file, which has been replaced since > > the call to access() > > > > If the program is running with more privileges than the user this > > is a truck-sized hole (or at least SUV-sized). > > Ahhh ... I'd call that an aircraft-carrier sized hole. I hadn't even > considered that possibility. > The good news, however, is that it doesn't present any security concerns > in the context I'll be using - since the program runs as the local user. Yeah... ok What if it happens to belong to another user that has set the required permissions on it (world accessability) then swaps it with a symlink to the running user's sensative files? Just wondering.. -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] Represent yourself, show up at BABUG http://www.babug.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010331194729.J9431>