Re: access(2)--a security hole?

[jdd () cdf toronto edu (John DiMarco)]

In message <Pine.3.89.9410220146.A7679-0100000 () suburbia apana org au> Julian Assange writes:

> Access(2)/(3) is inherently insecure because its argument is a file-name not
> a file descriptor, meaning it is vulnerable to race conditions, which mean 
> that a link or file with different permissions could be implanted over 
> the file that access passed.

It's probably worth mentioning that stat and lstat are no better than access
in this regard. It's a general coding problem, not one specific to access.

The best way to avoid the race condition problem is to stat the file, open
it, fstat the opened file descriptor, and compare the results of the two
stats. If they're different (eg. st_ino differs), somebody messed with
the file between the first stat and the second. 

As Julian points out, access doesn't have a file descriptor variant (i.e. 
there's no "faccess"), so you can't do the same trick with access. Note that
it's not good enough to do an access, then open, then another access, because
somebody could mess with the file between the first access and the open, and
then put everything back the way it was between the open and the second access. 
It's a trickier race for the bad guy to win, but it's still possible.

Regards,

John
--
John DiMarco <jdd () cdf toronto edu>                        Office: EA201B
Computing Disciplines Facility Systems Manager            Phone: 416-978-1928
University of Toronto                                     Fax:   416-978-1931
http://www.cdf.toronto.edu/personal/jdd/jdd.html