Bugtraq mailing list archives
Re: access(2)--a security hole?
From: kayvan () Sylvan COM (Kayvan Sylvan)
Date: Sat, 22 Oct 94 17:20 PDT
"Steve" == Steve Simmons <apple!lokkur.dexter.mi.us!scs> writes:
The security hole in access() is really that it has an implicit race condition in it. You check a file, and then you assume moments later that the same access is granted. So, if the file is a really a symlink, and someone changes where it points to between the access() and the open(), a completely different file might be affected. This is the root of many of the holes that get posted here (xterm, /bin/mail come to mind).
Steve> The obvious correct coding is to open *first*, then check access, and Steve> close it back up if you shouldn't have opened it. This doesn't get around the race condition. 1. Your suid script opens a file that is a symlink pointing to /etc/passwd. 2. Before the access, but after the open(), the symlink is changed to point to someplace that I have legitimate access to. 3. You do your access() call on the new symlink... I may have to run the program a hundred times to get the race condition to occur (loading the machine also helps sometimes)... ---Kayvan Kayvan Sylvan | Sylvan Associates | Proud Dad of: kayvan () Sylvan COM | Training, Consulting | Katherine Yelena (8/8/89) PGP Key available. | NLP Master Practitioner | Robin Gregory (2/28/92) "The trust and respect of a child is an honor to be earned, not demanded."
Current thread:
- Re: access(2)--a security hole? Jeremy Epstein -C2 PROJECT (Oct 21)
- <Possible follow-ups>
- Re: access(2)--a security hole? Jeremy Epstein -C2 PROJECT (Oct 21)
- Re: access(2)--a security hole? der Mouse (Oct 21)
- Re: access(2)--a security hole? Steve Simmons (Oct 22)
- Re: access(2)--a security hole? Kayvan Sylvan (Oct 22)
- Re: access(2)--a security hole? Howie Kaye (Oct 22)
- Re: access(2)--a security hole? der Mouse (Oct 22)