[66] in bugtraq
Re: access(2)--a security hole?
daemon@ATHENA.MIT.EDU (Howie Kaye)
Fri Oct 21 16:18:15 1994
Date: Fri, 21 Oct 94 11:03:14 EDT
From: Howie Kaye <howie@columbia.edu>
Reply-To: howie@watsun.cc.columbia.edu
To: Justin Mason <jmason@iona.ie>
Cc: bugtraq@crimelab.com
In-Reply-To: Your message of Fri, 21 Oct 1994 11:50:02 +0100
The security hole in access() is really that it has an implicit race
condition in it. You check a file, and then you assume moments later that
the same access is granted. So, if the file is a really a symlink, and
someone changes where it points to between the access() and the open(), a
completely different file might be affected. This is the root of many of
the holes that get posted here (xterm, /bin/mail come to mind).
------------------------------------------------------------
Howie Kaye howie@columbia.edu
Columbia University hlkcu@cuvma.bitnet
UNIX Systems Group ...!rutgers!columbia!howie
