Author: Sheldon Hearn Date: To: Harald Meland CC: exim-users Subject: Re: [Exim] Conditionalize a router on file existance; effective uid and NFS woes
On (2003/08/05 14:18), Harald Meland wrote:
> During delivery, the stat() function is run as root, but there is a
> facility for checking the accessibility of a file by another
> user. [...]
>
> , and that is not true. Exim _tries_ to do an ad-hoc-check of the
> accessibility by another user, but the check is not *really* checking
> the accessibility by another user; one should use
> set[e]uid(2)+access(2) for that.
Even access(2) is fallible. Given that it's not going to get the job
right all the time, why go to all this extra effort anyway?
The FreeBSD manpage for access(2) has this to say:
SECURITY CONSIDERATIONS
The access() system call is a potential security hole due to race
condi- tions and should never be used. Set-user-ID and set-group-ID
applica- tions should restore the effective user or group ID, and
perform actions directly rather than use access() to simulate access
checks for the real user or group ID. The eaccess() system call
likewise may be subject to races if used inappropriately.
Other platforms have fallible access(2) implementations too.
Note that I'm only advising againts waste of effort. I'm not arguing
with the rest of your message, which points to what seems like a
legitimate problem.
