Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!mnetor!seismo!mcnc!rti!trt From: trt@rti.UUCP (Thomas Truscott) Newsgroups: comp.unix.questions Subject: Re: access(2) question Message-ID: <1489@rti.UUCP> Date: Fri, 19-Jun-87 13:55:13 EDT Article-I.D.: rti.1489 Posted: Fri Jun 19 13:55:13 1987 Date-Received: Mon, 22-Jun-87 03:24:19 EDT References: <530@applix.UUCP> <1341@xanth.UUCP> Organization: Research Triangle Institute, NC Lines: 53 NEVER EVER USE THE "ACCESS" SYSTEM CALL! The "access" system call was added in UNIX (tm AT&T) V7 to make life easier for SUID programs. It does that, and it also makes life buggier. I have seen two ways in which "access" is used, and both are wrong. 1. To determine, in a SUID program, if the RUID can access a file in a certain way. Say you have a mail program which is SUID root and you ask it to include the file "harmless" in your letter. So the mail program does: if (access("harmless", 04) != 0) burp("Sorry, you do not have read permission for that."); /* LOOPHOLE HERE */ fp = fopen("harmless", "r"); ... read the file into the letter ... This use of "access" is a pathetic attempt at security. A Bad Guy can arrange that "harmless" is a generally readable file at the time of the "access" and then, when "LOOPHOLE" is reached, replace it with a link to "secretfile". The mail program will unknowingly interpolate the secret file into the Bad Guy's letter. The ploy may only work one time in a thousand, but that is too often. 2. To determine, in a program, if a file exists, is readable, etc. This is by far the most common use for "access". It is much more painful to write #include #include struct stat sb; if (stat("foo", &sb)) burp("no such file"); than to write if (access("foo", 0)) burp("no such file"); But wait a minute! What if the program is SUID!! Then "access" will be checking the wrong permissions! And even if the program itself is not SUID, it might someday be invoked via one. This use of "access" is an accident waiting to happen. Even ignoring the above problems, it is difficult to use "access" correctly. The manual page points out the glitches of "writable" directories and "executable" files which aren't really. The manual page neglects to mention that if the RUID is root, *all* files appear to be "executable" independent of the permission bits. Vnode (NFS) filesystems have even more features. They have the above glitches, plus the pathname to the file is checked as the EUID, not as the RUID. So a file may appear to be readable by the RUID, yet is not, or vice versa. (I guess this is just SunOS thumbing its nose at "UNIX semantics"). It is time to drop this misguided system call. Tom Truscott