Re: access() is a security hole?

From: The Anarcat (anarcat@anarcat.ath.cx)
Date: 10/08/02


Date: Tue, 8 Oct 2002 16:37:59 -0400
From: The Anarcat <anarcat@anarcat.ath.cx>
To: Fernando Schapachnik <fschapachnik@vianetworks.com.ar>


On Tue Oct 08, 2002 at 03:42:04PM -0300, Fernando Schapachnik wrote:
> En un mensaje anterior, The Anarcat escribió:
> > The access(2) manpage mentions an obscure security hole in
> > access(2). How so?
> >
> > "
> > CAVEAT
> > Access() is a potential security hole and should never be used.
>
> It might have to do with the fact that file permissions can change
> between the access() call and the open() call. The preferred way is
> to use fstat() that takes an open fd.

Just what I thought. The man page should be more precise. The way I
read it, there is a security bug in access(2) which is not the
case.

I'll try to come up with an update to the manpage.

A.

-- 
Advertisers, not governments, are the primary censors of media content 
in the United States today.
                        - C. Edwin Baker
                        http://www.ad-mad.co.uk/quotes/freespeech.htm

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message