From owner-freebsd-hackers  Sat Mar 31 19:47:35 2001
Delivered-To: freebsd-hackers@freebsd.org
Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20])
	by hub.freebsd.org (Postfix) with ESMTP id C73E737B71A
	for <freebsd-hackers@FreeBSD.ORG>; Sat, 31 Mar 2001 19:47:32 -0800 (PST)
	(envelope-from bright@fw.wintelcom.net)
Received: (from bright@localhost)
	by fw.wintelcom.net (8.10.0/8.10.0) id f313lUa06468;
	Sat, 31 Mar 2001 19:47:30 -0800 (PST)
Date: Sat, 31 Mar 2001 19:47:30 -0800
From: Alfred Perlstein <bright@wintelcom.net>
To: Bill Moran <wmoran@iowna.com>
Cc: Rick Bradley <roundeye@roundeye.net>, freebsd-hackers@FreeBSD.ORG
Subject: Re: Security problems with access(2)?
Message-ID: <20010331194729.J9431@fw.wintelcom.net>
References: <3AC60925.7CF191FA@iowna.com> <20010331110248.A28931@negwo.roundeye.net> <3AC6129C.3E5BDC01@iowna.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <3AC6129C.3E5BDC01@iowna.com>; from wmoran@iowna.com on Sat, Mar 31, 2001 at 12:23:40PM -0500
X-all-your-base: are belong to us.
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

* Bill Moran <wmoran@iowna.com> [010331 09:28] wrote:
> Rick Bradley wrote:
> > 
> > * Bill Moran (wmoran@iowna.com) [010331 10:48]:
> > [...]
> > > Does anyone have a pointer to more detailed information on the potential
> > > security hole in access()? I've got a bit more research to do on this,
> > > but I'd appreciate any pointers to speed me along.
> > 
> > I'd say they docs are referring to the potential race condition:
> > 
> >  - Program calls access() to see if user has authority to open
> >    a file and gets an affirmative result
> >  - User swaps file with another file (say a link to the password
> >    file)
> >  - Program calls open() on the file, which has been replaced since
> >    the call to access()
> > 
> > If the program is running with more privileges than the user this
> > is a truck-sized hole (or at least SUV-sized).
> 
> Ahhh ... I'd call that an aircraft-carrier sized hole. I hadn't even
> considered that possibility.
> The good news, however, is that it doesn't present any security concerns
> in the context I'll be using - since the program runs as the local user.

Yeah... ok

What if it happens to belong to another user that has set the required
permissions on it (world accessability) then swaps it with a symlink
to the running user's sensative files?

Just wondering..

-- 
-Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org]
Represent yourself, show up at BABUG http://www.babug.org/

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message