To: linux-kernel@vger.kernel.org
Path: not-for-mail
From: daw@cs.berkeley.edu (David Wagner)
Newsgroups: isaac.lists.linux-kernel
Subject: Re: [PATCH] fcntl.h: define AT_EACCESS
Date: Mon, 19 Apr 2010 22:20:13 +0000 (UTC)
Organization: University of California, Berkeley
Message-ID: <hqikut$4ts$1@taverner.cs.berkeley.edu>
References: <1271387280-19565-1-git-send-email-max@stro.at> <20100419144729.2b8180e8.akpm@linux-foundation.org> <20100419215711.GR10984@baikonur.stro.at>
NNTP-Posting-Host: taverner.cs.berkeley.edu
NNTP-Posting-Date: Mon, 19 Apr 2010 22:20:13 +0000 (UTC)
Originator: daw@taverner.cs.berkeley.edu (David Wagner)
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 859
Lines: 12

Can you share some justification why it's worth extending
faccessat() with new options?

Isn't faccessat() insecure in most use cases, due to TOCTTOU
(time-of-check to time-of-use) vulnerabilities?  When faccessat()
returns 0, you learn that at some point in the past, the process had
permission to access a given file, though the process may or may not
have permission at the moment.  Why is that a useful thing to know?

I'm sure you're familiar with all the standard arguments why using
access() tends to represent a security vulnerability.  Is there a reason
why similar arguments do not apply to faccessat()?
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/