Re: access() is a security hole?

From: The Anarcat (anarcat@anarcat.ath.cx)
Date: 10/08/02


Date: Tue, 8 Oct 2002 16:37:59 -0400
From: The Anarcat <anarcat@anarcat.ath.cx>
To: Fernando Schapachnik <fschapachnik@vianetworks.com.ar>


On Tue Oct 08, 2002 at 03:42:04PM -0300, Fernando Schapachnik wrote:
> En un mensaje anterior, The Anarcat escribió:
> > The access(2) manpage mentions an obscure security hole in
> > access(2). How so?
> >
> > "
> > CAVEAT
> > Access() is a potential security hole and should never be used.
>
> It might have to do with the fact that file permissions can change
> between the access() call and the open() call. The preferred way is
> to use fstat() that takes an open fd.

Just what I thought. The man page should be more precise. The way I
read it, there is a security bug in access(2) which is not the
case.

I'll try to come up with an update to the manpage.

A.

-- 
Advertisers, not governments, are the primary censors of media content 
in the United States today.
                        - C. Edwin Baker
                        http://www.ad-mad.co.uk/quotes/freespeech.htm

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Relevant Pages

  • Re: access() is a security hole?
    ... > CAVEAT ... > Accessis a potential security hole and should never be used. ... > This seems to have been part of the manpage forever, or so to speak, ...
    (FreeBSD-Security)
  • Re: access() is a security hole?
    ... > Accessis a potential security hole and should never be used. ... > This seems to have been part of the manpage forever, or so to speak, ... original file with another file which that user does not have ... File descriptors don't suffer from this binding problem, ...
    (FreeBSD-Security)
  • access() is a security hole?
    ... The accessmanpage mentions an obscure security hole in ... Accessis a potential security hole and should never be used. ... This seems to have been part of the manpage forever, or so to speak, ...
    (FreeBSD-Security)