access()有什么问题? [英] What is wrong with access()?

问题描述

可能重复:
access()安全漏洞

我引用了手册页访问权限(2):

警告:使用 access ()来检查用户是否被授权，例如，在使用 open (2)会创建一个安全漏洞，因为用户可能会利用检查和打开文件之间的较短时间间隔来对其进行操作.因此，应避免使用此系统调用.

这是什么意思，在什么情况下会引起关注?

解决方案

这仅对Set-user-ID和set-group-ID应用程序具有安全性.对于以用户本身身份运行的应用程序，没有威胁，因为有问题的操作始终会被操作系统拒绝.

请考虑以下情形:您有一个UNIX程序，通过set-user-id以 root 身份运行.该程序使用 access 来检查另一个用户的文件权限，然后以 root 的身份运行文件，但前提是权限检查成功.假设该程序名为 securerun ，您可以按以下方式运行它:

  securerun myfile 

攻击者可以使用以下算法制作一个利用此安全漏洞运行的程序:

• 写入用户具有执行权限的文件 xyz
• 启动两个线程， A 和 B
• 线程 A 等待几毫秒，然后执行 cp norunning xyz 将 xyz 替换为攻击者想要运行的文件，但是没有运行权限
• 线程 B 调用 securerun xyz

如果攻击者通过正确的时机获得了幸运，那么您的 securerun 将检查旧 xyz 的执行权限，但它将运行新的 xyz，这是黑客不应该运行的 norunning 的副本.由于检查和执行之间的时间间隔很短，因此，如果攻击者多次尝试执行其策略，则注定会在某个时候幸运.

Possible Duplicate:
access() Security Hole

I quote from man page access(2):

Warning: Using access() to check if a user is authorized to, for example, open a file before actually doing so using open(2) creates a security hole, because the user might exploit the short time interval between checking and opening the file to manipulate it. For this reason, the use of this system call should be avoided.

What does this mean, and in what situation would it be a concern?

解决方案

This is a security concern only for Set-user-ID and set-group-ID applications. For applications running as the user itself there is no threat, because the operation in question would be rejected by the operating system anyway.

Consider this scenario: you have a UNIX program running as root via set-user-id. The program uses access to check file permissions of another user, and then runs the file as root, but only if the permission check has been successful. Let's say the program is called securerun, and you run it as follows:

securerun myfile

An attacker can make a program that exploits this security hole to run, using this algorithm:

• Write a file xyz of which the user has executing permissions
• Start two threads, A and B
• Thread A waits a few milliseconds, and executes cp norunning xyz to replace xyz with a file that the attacker wants to run, but has no run permissions to do so
• Thread B calls securerun xyz

If the attacker gets lucky by getting his timing right, your securerun would check the execute permissions on the old xyz, but it would run the new xyz, a copy of norunning that the hacker wasn't supposed to run. Since there is a short time window between the check and the execution, the attacker is bound to get lucky at some point, if he tries his strategy many times in a loop.

这篇关于access()有什么问题?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！