|
1158 | 1158 | \item The function was meant for an SUID process to verify whether the user |
1159 | 1159 | running the process would have had access to a file if it was not for the SUID |
1160 | 1160 | privileges. However, there is an inherent security hole in this approach. |
1161 | | -The test and the subsequent action on the file is not an atomic operation. An |
1162 | | -attacker could possibly \texttt{unlink} the file and immediately symlink it to a |
1163 | | -different file to what it actually had no rights to manipulate with. If the |
1164 | | -timing is right, the SUID process will operate on that other file. The correct |
1165 | | -solution is not to use the \texttt{access} call but return to the real UID/GID |
1166 | | -and try the operation. For example, if we succeed in opening the file under the |
1167 | | -real UID/GID and continue working with the file descriptor, the file |
1168 | | -manipulation mentioned above would not gain the attacker anything. |
| 1161 | +The test and the subsequent action on the file is not an atomic operation. |
| 1162 | +This is called the time-of-check to time-of-use (TOCTOU) problem, |
| 1163 | +see \url{https://en.wikipedia.org/wiki/Time-of-check\_to\_time-of-use}. |
| 1164 | +An attacker could possibly \texttt{unlink} the file and immediately symlink it |
| 1165 | +to a different file to what it actually had no rights to manipulate with. |
| 1166 | +If the timing is right, the SUID process will operate on that other file. |
| 1167 | +\\ |
| 1168 | +The correct solution is not to use the \texttt{access} call but return to the |
| 1169 | +real UID/GID and try the operation. For example, if we succeed in opening the |
| 1170 | +file under the real UID/GID and continue working with the file descriptor, the |
| 1171 | +file manipulation mentioned above would not gain the attacker anything. |
1169 | 1172 | \end{itemize} |
1170 | 1173 |
|
1171 | 1174 | %%%%% |
|
0 commit comments