[71] in bugtraq
Re: access(2)--a security hole?
daemon@ATHENA.MIT.EDU (John DiMarco)
Fri Oct 21 23:12:28 1994
To: bugtraq@crimelab.com
In-Reply-To: Your message of "Fri, 21 Oct 1994 21:50:59 EDT."
<Pine.3.89.9410220146.A7679-0100000@suburbia.apana.org.au>
Date: Fri, 21 Oct 1994 18:24:43 -0400
From: John DiMarco <jdd@cdf.toronto.edu>
In message <Pine.3.89.9410220146.A7679-0100000@suburbia.apana.org.au> Julian Assange writes:
>Access(2)/(3) is inherently insecure because its argument is a file-name not
>a file descriptor, meaning it is vulnerable to race conditions, which mean
>that a link or file with different permissions could be implanted over
>the file that access passed.
It's probably worth mentioning that stat and lstat are no better than access
in this regard. It's a general coding problem, not one specific to access.
The best way to avoid the race condition problem is to stat the file, open
it, fstat the opened file descriptor, and compare the results of the two
stats. If they're different (eg. st_ino differs), somebody messed with
the file between the first stat and the second.
As Julian points out, access doesn't have a file descriptor variant (i.e.
there's no "faccess"), so you can't do the same trick with access. Note that
it's not good enough to do an access, then open, then another access, because
somebody could mess with the file between the first access and the open, and
then put everything back the way it was between the open and the second access.
It's a trickier race for the bad guy to win, but it's still possible.
Regards,
John
--
John DiMarco <jdd@cdf.toronto.edu> Office: EA201B
Computing Disciplines Facility Systems Manager Phone: 416-978-1928
University of Toronto Fax: 416-978-1931
http://www.cdf.toronto.edu/personal/jdd/jdd.html
