Code to hide inaccessible files/directories
Bill Moran
wmoran at iowna.com
Tue Apr 17 20:56:32 GMT 2001
Interesting. In practice it works flawlessly (samba 2.0.7 under FreeBSD
4.2) but if it would fail to work under newer versions, that's important to
know.
-Bill
----------
From: Simo Sorce
Sent: Tuesday, April 17, 2001 7:59 AM
To: Bill Moran
Cc: samba-technical at samba.org
Subject: Re: Code to hide inaccessible files/directories
Just as a reminder, access (under linux) uses the real uid for testing not
effective uid.
As most of teh code now (HEAD) runs with real uid 0 and effective = users
uid access will never fail (eg access will be ever granted)
Don't know how it applies to 2.0.7 codebase
On Tue, Apr 17, 2001 at 07:27:23AM -0400, Bill Moran wrote:
> "Ph. Marek" wrote:
>
> > How about a getcwd(), chdir() to the directory, loop, and chdir() back?
> > Thus one can avoid the pasting of filenames together. And getcwd() at
least
> > allows to check if a larger buffer is needed. (if the current directory
of
> > samba is normally /, this can even be avoided - simple do chdir(),
loop,
> > chdir(/)).
>
> Could be done. access() needs a full pathname, though (I believe) so it
> would require a different test for rights.
>
> > >3. The access() command is considered "a security hole that should
never
> > >be used" by the BSD documentation. However, I can not see how access()
> > >is a security concern _in this particular implementation_, and nobody
> > >has been able to give me an example of how it could be. If using
> > >access() makes you nervious, you could replace it with open()-with a
> > >test for success. I didn't want to do this because of the potential
> > >performance hit. Also, I don't know whether or not access() is
portable
> > >to other systems (such as Linux)
> > I don't know about this security hole. Do you have some documentation
> > about it?
>
> Race condition. If you use access() to test permissions - then perform
> some function as a result, there's a possibility for someone to change
> the permissions between those two actions. For example, you test
> access() to see if the user can open a file and find it OK to open, then
> a malicious user replaces the file with a links to passwd. You then have
> access to a file you shouldn't. Like I said, doesn't seem to apply in
> this use.
>
> > Thanks very much, Bill!
> >
> > I'll try to test that.
>
> Let me know if you hit any snags.
>
> -Bill
>
--
Simo Sorce
------------------------------
Unix IS user friendly, it is just selective about who his friends are.
More information about the samba-technical
mailing list