[76] in bugtraq
Re: access(2)--a security hole?
daemon@ATHENA.MIT.EDU (Kayvan Sylvan)
Sat Oct 22 22:14:24 1994
Date: Sat, 22 Oct 94 17:20 PDT
To: Steve Simmons <scs@lokkur.dexter.mi.us>
Cc: bugtraq@crimelab.com
In-Reply-To: <199410222204.SAA03294@lokkur.dexter.mi.us>
From: Kayvan Sylvan <kayvan@Sylvan.COM>
>>>>> "Steve" == Steve Simmons <apple!lokkur.dexter.mi.us!scs> writes:
>> The security hole in access() is really that it has an implicit race
>> condition in it. You check a file, and then you assume moments later that
>> the same access is granted. So, if the file is a really a symlink, and
>> someone changes where it points to between the access() and the open(), a
>> completely different file might be affected. This is the root of many of
>> the holes that get posted here (xterm, /bin/mail come to mind).
Steve> The obvious correct coding is to open *first*, then check access, and
Steve> close it back up if you shouldn't have opened it.
This doesn't get around the race condition.
1. Your suid script opens a file that is a symlink pointing to /etc/passwd.
2. Before the access, but after the open(), the symlink is changed to
point to someplace that I have legitimate access to.
3. You do your access() call on the new symlink...
I may have to run the program a hundred times to get the race
condition to occur (loading the machine also helps sometimes)...
---Kayvan
Kayvan Sylvan | Sylvan Associates | Proud Dad of:
kayvan@Sylvan.COM | Training, Consulting | Katherine Yelena (8/8/89)
PGP Key available. | NLP Master Practitioner | Robin Gregory (2/28/92)
"The trust and respect of a child is an honor to be earned, not demanded."
