Possible Duplicate:
access() Security Hole
I quote from man page access(2):
Warning: Using access() to check if a user is authorized to, for example, open a file before actually doing so using open(2) creates a security hole, because the user might exploit the short time interval between checking and opening the file to manipulate it. For this reason, the use of this system call should be avoided.
What does this mean, and in what situation would it be a concern?
This is a security concern only for Set-user-ID and set-group-ID applications. For applications running as the user itself there is no threat, because the operation in question would be rejected by the operating system anyway.
Consider this scenario: you have a UNIX program running as root via set-user-id. The program uses access to check file permissions of another user, and then runs the file as root, but only if the permission check has been successful. Let's say the program is called securerun, and you run it as follows:
securerun myfile
An attacker can make a program that exploits this security hole to run, using this algorithm:
xyz of which the user has executing permissionsA and BA waits a few milliseconds, and executes cp norunning xyz to replace xyz with a file that the attacker wants to run, but has no run permissions to do soB calls securerun xyzIf the attacker gets lucky by getting his timing right, your securerun would check the execute permissions on the old xyz, but it would run the new xyz, a copy of norunning that the hacker wasn't supposed to run. Since there is a short time window between the check and the execution, the attacker is bound to get lucky at some point, if he tries his strategy many times in a loop.
It is a classic "Time of check to time of use" race condition.
Typical erroneous code:
access to check whether to read file on user's behalf, in a program running with elevated privilegesDuring the "short gap", the user might be able to manipulate the file system, for example:
ln -f secret_file.txt non_secret_file.txt
Then open will open the secret file for reading, even though it would have failed the access check had the link been in place at the time the check was done.
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 在下西门庆 的文章《What is wrong with access()? [duplicate]》','https://www.manongdao.com/article-980708.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}