[Freeipa-devel] [PATCH] add requires_root option to Command

[John Dennis]

>> Warning:  Using access() to check if a user is authorized to, for 
>> example, open a file before actually doing so using open(2) creates a 
>> security  hole,  because  the  user  might  exploit the short time 
>> interval between checking and opening the file to manipulate it.  For 
>> this  reason, the use of this system call should be avoided.
>>     

Out of curiosity and for my own edification what is the exploit and why 
use access() at all? If access() returns denied the file won't attempt 
to be opened, how is this different than calling open() and getting an 
EPERM? If access() returns success then you attempt to open the file 
which either succeeds or fails, presumably based on the same permission 
check access() just performed. Trying to exploit the interval of time 
between the two system calls seems extraordinarily difficult. If the 
user has permission to change the protection on the file then why is the 
interval of time between access() and open() meaningful, they have the 
capacity to manipulate the file. Finally, why use access() at all, why 
not just try open() and check for EPERM?

-- 
John Dennis <jdennis at redhat.com>

Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20090422/a8c78a55/attachment.htm>