[63] in bugtraq
Re: access(2)--a security hole?
daemon@ATHENA.MIT.EDU (Dave Goldberg)
Fri Oct 21 11:28:50 1994
To: Justin Mason <jmason@iona.ie>
Cc: bugtraq@crimelab.com
In-Reply-To: Your message of Fri, 21 Oct 1994 11:50:02 BST.
<199410211050.LAA07173@destructor.iona.ie>
Reply-To: dsg@mitre.org
Date: Fri, 21 Oct 1994 09:29:18 -0400
From: Dave Goldberg <dsg@blackbird.mitre.org>
Unless there's something else specific to freeBSD, which I do not have
to check out, the problem with access is that it is used something
like this:
if (access(filename,permstocheck) == 0) {
open("filename",whatever,whatever);
...
}
There's a race condition between the call to access and the call to
open. Similar in principle to the race condition that causes setuid
shell scripts to be a security hole. I tried this once, a long time
ago because I was skeptical of this. I wrote a setuid root program
that would open a symbolic link to the passwd file for reading and
writing after checking it with access. I launched the program from a
wrapper that changed the symbolic link between /etc/passwd and a file
I legitimately had write access to under my own uid. It took, as I
recall, a little over 50 tries for a success (that is, I got the
passwd file).
Dave Goldberg
Post: The Mitre Corporation MS B020 202 Burlington Rd. Bedford, MA 01730
Phone: 617-271-3887
Domain: dsg@mitre.org UUCP: {your neighborhood}!linus!mdf!dsg
