Bugtraq mailing list archives
Re: access(2)--a security hole?
From: dsg () blackbird mitre org (Dave Goldberg)
Date: Fri, 21 Oct 1994 09:29:18 -0400
Unless there's something else specific to freeBSD, which I do not have to check out, the problem with access is that it is used something like this: if (access(filename,permstocheck) == 0) { open("filename",whatever,whatever); ... } There's a race condition between the call to access and the call to open. Similar in principle to the race condition that causes setuid shell scripts to be a security hole. I tried this once, a long time ago because I was skeptical of this. I wrote a setuid root program that would open a symbolic link to the passwd file for reading and writing after checking it with access. I launched the program from a wrapper that changed the symbolic link between /etc/passwd and a file I legitimately had write access to under my own uid. It took, as I recall, a little over 50 tries for a success (that is, I got the passwd file). Dave Goldberg Post: The Mitre Corporation MS B020 202 Burlington Rd. Bedford, MA 01730 Phone: 617-271-3887 Domain: dsg () mitre org UUCP: {your neighborhood}!linus!mdf!dsg
Current thread:
- Re: Internet Worm, (continued)
- Re: Internet Worm smb () research att com (Oct 19)
- R utilities, addresses, etc. Charles Howes (Oct 20)
- Re: R utilities, addresses, etc. Alexander L. Haiut (Oct 20)
- Re: R utilities, addresses, etc. Charles Howes (Oct 21)
- Fingerd Summary Adam Shostack (Oct 20)
- Re: Fingerd Summary Stephen Gildea (Oct 21)
- Re: Fingerd Summary Adam Shostack (Oct 21)
- Re: Fingerd Summary KevinTX (Oct 21)
- R utilities, addresses, etc. Charles Howes (Oct 20)
- Re: Internet Worm smb () research att com (Oct 19)
- access(2)--a security hole? Jonathan M. Bresler (Oct 20)
- Re: access(2)--a security hole? Justin Mason (Oct 21)
- Re: access(2)--a security hole? Dave Goldberg (Oct 21)
- Re: access(2)--a security hole? Karl Strickland (Oct 21)
- Re: access(2)--a security hole? Julian Assange (Oct 21)
- Re: access(2)--a security hole? John DiMarco (Oct 21)
- Re: access(2)--a security hole? jmc () gnu ai mit edu (Oct 21)
- adjunct *Hobbit* (Oct 20)