Date: Sat, 31 Mar 2001 19:49:48 +0200 (CEST) From: Paul Herman <pherman@frenchfries.net> To: Warner Losh <imp@harmony.village.org> Cc: Bill Moran <wmoran@iowna.com>, <freebsd-hackers@FreeBSD.ORG> Subject: Re: Security problems with access(2)? Message-ID: <Pine.BSF.4.33.0103311945010.13408-100000@husten.security.at12.de> In-Reply-To: <200103311726.f2VHQIO13750@harmony.village.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 31 Mar 2001, Warner Losh wrote: > In message <3AC60925.7CF191FA@iowna.com> Bill Moran writes: > : I'm a little confused here, if access() is such a serious security > : problem that it should _never_ be used, do we now have a major problem > : with a large amount of software in the base system? > > Access(2) can be raced. Shouldn't the stat(2) manpage then also carry the same warning that access(2) has (apparently dating back to 4.4BSD-Lite)? ...or maybe even a suggestion to use fstat(2) instead... -Paul. Index: stat.2 =================================================================== RCS file: /home/ncvs/src/lib/libc/sys/stat.2,v retrieving revision 1.16.2.3 diff -u -r1.16.2.3 stat.2 --- stat.2 2000/12/08 13:49:32 1.16.2.3 +++ stat.2 2001/03/31 17:44:27 @@ -273,6 +273,10 @@ .Fn fstat function calls are expected to conform to .St -p1003.1-90 . +.Sh CAVEAT +.Fn stat +is a potential security hole and +should never be used. .Sh HISTORY A .Fn stat To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.33.0103311945010.13408-100000>