|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: access(2)--a security hole?
Dave Goldberg (dsg
blackbird.mitre.org)Fri, 21 Oct 1994 09:29:18 -0400
- Messages sorted by: [ date ][ thread ][ subject ][ author ]
- Next message: jmcgnu.ai.mit.edu: "Re: access(2)--a security hole?"
- Previous message: Jeremy Epstein -C2 PROJECT: "Re: access(2)--a security hole?"
- In reply to: Justin Mason: "Re: access(2)--a security hole?"
- Next in thread: Julian Assange: "Re: access(2)--a security hole?"
Unless there's something else specific to freeBSD, which I do not have
to check out, the problem with access is that it is used something
like this:
if (access(filename,permstocheck) == 0) {
open("filename",whatever,whatever);
...
}
There's a race condition between the call to access and the call to
open. Similar in principle to the race condition that causes setuid
shell scripts to be a security hole. I tried this once, a long time
ago because I was skeptical of this. I wrote a setuid root program
that would open a symbolic link to the passwd file for reading and
writing after checking it with access. I launched the program from a
wrapper that changed the symbolic link between /etc/passwd and a file
I legitimately had write access to under my own uid. It took, as I
recall, a little over 50 tries for a success (that is, I got the
passwd file).
Dave Goldberg
Post: The Mitre Corporation MS B020 202 Burlington Rd. Bedford, MA 01730
Phone: 617-271-3887
Domain: dsgmitre.org UUCP: {your neighborhood}!linus!mdf!dsg
- Next message: jmcgnu.ai.mit.edu: "Re: access(2)--a security hole?"
- Previous message: Jeremy Epstein -C2 PROJECT: "Re: access(2)--a security hole?"
- In reply to: Justin Mason: "Re: access(2)--a security hole?"
- Next in thread: Julian Assange: "Re: access(2)--a security hole?"