access() 安全漏洞 [英] access() Security Hole

问题描述

我一直在写一些 shell 并遇到了一个关于 access() 来检查文件是否存在、是否可以读取等的建议.看起来非常容易实现并且比 stat().当我开始查看它的手册页时，我注意到不推荐使用它，因为它会导致安全漏洞.手册页是这样说的:

I've been doing some shell writing and came across a recommendation for access() to check whether a file exists, can be read, etc. Seems super easy to implement and faster than stat(). When I started looking at the man page for it, I noticed that it is NOT recommended for use because it can lead to a security hole. The man page says this:

使用 access() 检查用户是否被授权例如打开一个文件在实际这样做之前，使用 open(2) 创建一个安全漏洞，因为用户可能会利用两者之间的短时间间隔检查并打开文件以对其进行操作.

Using access() to check if a user is authorized to e.g. open a file before actually doing so using open(2) creates a security hole, because the user might exploit the short time interval between checking and opening the file to manipulate it.

有谁知道这是如何被利用的，或者它是否只与在检查文件后使用 open() 有关?我知道很多人说用 stat() 代替，但是 access() 很容易实现，特别是对于我使用它的 shell.

Does anyone know how this can be exploited or if it pertains only to using open() after checking a file? I know that a lot of people say to use stat() instead, but access() is so easy to implement, especially for the shell that I used it for.

推荐答案

那是 TOCTOU 竞赛(检查时间到更新时间).恶意用户可以将他有权访问的文件替换为他在 access() 和 open() 调用之间无权访问的内容的符号链接.使用 faccessat() 或 fstat().一般来说，打开一个文件一次，然后在它上面使用 f*() 函数(例如:fchown(), ...).

That is a TOCTOU race (Time of Check to Time of Update). A malicious user could substitute a file he has access to for a symlink to something he doesn't have access to between the access() and the open() calls. Use faccessat() or fstat(). In general, open a file once, and use f*() functions on it (e.g: fchown(), ...).

这篇关于access() 安全漏洞的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！