>>>>> "Steve" == Steve Simmons <apple!lokkur.dexter.mi.us!scs> writes: >> The security hole in access() is really that it has an implicit race >> condition in it. You check a file, and then you assume moments later that >> the same access is granted. So, if the file is a really a symlink, and >> someone changes where it points to between the access() and the open(), a >> completely different file might be affected. This is the root of many of >> the holes that get posted here (xterm, /bin/mail come to mind). Steve> The obvious correct coding is to open *first*, then check access, and Steve> close it back up if you shouldn't have opened it. This doesn't get around the race condition. 1. Your suid script opens a file that is a symlink pointing to /etc/passwd. 2. Before the access, but after the open(), the symlink is changed to point to someplace that I have legitimate access to. 3. You do your access() call on the new symlink... I may have to run the program a hundred times to get the race condition to occur (loading the machine also helps sometimes)... ---Kayvan Kayvan Sylvan | Sylvan Associates | Proud Dad of: kayvan@Sylvan.COM | Training, Consulting | Katherine Yelena (8/8/89) PGP Key available. | NLP Master Practitioner | Robin Gregory (2/28/92) "The trust and respect of a child is an honor to be earned, not demanded."