Re: access(2)--a security hole?

[dsg () blackbird mitre org (Dave Goldberg)]

Unless there's something else specific to freeBSD, which I do not have
to check out, the problem with access is that it is used something
like this:

if (access(filename,permstocheck) == 0) {
        open("filename",whatever,whatever);
        ...
}

There's a race condition between the call to access and the call to
open.  Similar in principle to the race condition that causes setuid
shell scripts to be a security hole.  I tried this once, a long time
ago because I was skeptical of this.  I wrote a setuid root program
that would open a symbolic link to the passwd file for reading and
writing after checking it with access.  I launched the program from a
wrapper that changed the symbolic link between /etc/passwd and a file
I legitimately had write access to under my own uid.  It took, as I
recall, a little over 50 tries for a success (that is, I got the
passwd file).

Dave Goldberg
Post: The Mitre Corporation MS B020 202 Burlington Rd. Bedford, MA 01730
Phone: 617-271-3887
Domain: dsg () mitre org  UUCP: {your neighborhood}!linus!mdf!dsg