Date: Fri, 11 Oct 2002 20:11:20 -0700 From: David Schultz <dschultz@uclink.Berkeley.EDU> To: Don Lewis <dl-freebsd@catspoiler.org> Cc: peterjeremy@optushome.com.au, behanna@zbzoom.net, security@FreeBSD.ORG Subject: Re: access() is a security hole? Message-ID: <20021012031120.GA1951@HAL9000.homeunix.com> In-Reply-To: <200210120202.g9C220vU046809@gw.catspoiler.org> References: <20021011212020.GA209@server.c18609.belrs1.nsw.optusnet.com.au> <200210120202.g9C220vU046809@gw.catspoiler.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Thus spake Don Lewis <dl-freebsd@catspoiler.org>: > > It's not at all clear how to solve this in userland. In the absence > > of symlinks, you can parse the pathname, using open(),fstat(),fchdir() > > to securely get to the final pathname component. Unfortunately, > > there's no way to securely do this and handle symlinks (because you > > have to use lstat() to detect a symlink and there is a gap between > > the lstat() and subsequent open(). > > It's worse than that because you can run into the same problems with > trying to verify the directory permissions before doing mkdir(), > rmdir(), link(), symlink(), etc. In addition to what has already been mentioned, consider what happens when someone creates a symlink to a tape drive. Just the act of opening the device may have actions associated with it. Really, there ought to be a version of the open syscall that takes an argument specifying the credentials to use for the call, but instead we're stuck with the lovely setuid suite of functions. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021012031120.GA1951>