On 02/01/2016 11:10 AM, Sumit Bose wrote:
On Mon, Feb 01, 2016 at 10:45:56AM +0100, Pavel Reichl wrote:
I thought you were going to use 'fd' for return value of open(). I still think
access() would be better function to use. We would not need to care about file
descriptor at all.
It's a bit nit-picking but access() only checks if you are allowed to
access the file in the requested way not if you are really able to do
it. E.g. although the file-permission allows you to do so the SELinux
policy might prevent you from actually open the file.
Additionally from the access(3) man page "Warning: Using these calls to
check if a user is authorized to, for example, open a file before
actually doing so using open(2) creates a security hole, because the
user might exploit the short time interval between checking and opening
the file to manipulate it. For this reason, the use of this system call
should be avoided. (In the example just described, a safer alternative
would be to temporarily switch the process's effective user ID to the
real ID and then call open(2).)"
I think that this security hole is not relevant for our case, because we open the file to test if we have access and then we close it. File privileges can be changed before krb child actually access the file the very same way as if we tested by
access(), right?
Anyway, I see the advantage of selinux policy being checked when the open() is
performed so I no longer push for access().
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org
