Re: access(2)--a security hole?

[kayvan () Sylvan COM (Kayvan Sylvan)]

> > > > > "Steve" == Steve Simmons <apple!lokkur.dexter.mi.us!scs> writes:

> > The security hole in access() is really that it has an implicit race
> > condition in it.  You check a file, and then you assume moments later that
> > the same access is granted.  So, if the file is a really a symlink, and
> > someone changes where it points to between the access() and the open(), a
> > completely different file might be affected.  This is the root of many of
> > the holes that get posted here (xterm, /bin/mail come to mind).

Steve> The obvious correct coding is to open *first*, then check access, and
Steve> close it back up if you shouldn't have opened it.

This doesn't get around the race condition.

1. Your suid script opens a file that is a symlink pointing to /etc/passwd.

2. Before the access, but after the open(), the symlink is changed to
   point to someplace that I have legitimate access to.

3. You do your access() call on the new symlink...

I may have to run the program a hundred times to get the race
condition to occur (loading the machine also helps sometimes)...

                        ---Kayvan

Kayvan Sylvan       | Sylvan Associates         | Proud Dad of:
kayvan () Sylvan COM   | Training, Consulting      | Katherine Yelena (8/8/89)
PGP Key available.  | NLP Master Practitioner   | Robin Gregory (2/28/92)

"The trust and respect of a child is an honor to be earned, not demanded."