[Freeipa-devel] [PATCH] add requires_root option to Command
John Dennis
jdennis at redhat.com
Wed Apr 22 14:46:00 UTC 2009
>> Warning: Using access() to check if a user is authorized to, for
>> example, open a file before actually doing so using open(2) creates a
>> security hole, because the user might exploit the short time
>> interval between checking and opening the file to manipulate it. For
>> this reason, the use of this system call should be avoided.
>>
Out of curiosity and for my own edification what is the exploit and why
use access() at all? If access() returns denied the file won't attempt
to be opened, how is this different than calling open() and getting an
EPERM? If access() returns success then you attempt to open the file
which either succeeds or fails, presumably based on the same permission
check access() just performed. Trying to exploit the interval of time
between the two system calls seems extraordinarily difficult. If the
user has permission to change the protection on the file then why is the
interval of time between access() and open() meaningful, they have the
capacity to manipulate the file. Finally, why use access() at all, why
not just try open() and check for EPERM?
--
John Dennis <jdennis at redhat.com>
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20090422/a8c78a55/attachment.htm>
More information about the Freeipa-devel
mailing list