Bug 39530

Summary: access(2) man page has unnecessarily broad warning
Product: Documentation Reporter: Soren Spies <sspies>
Component: Books & ArticlesAssignee: Remko Lodder <remko>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Latest   
Hardware: Any   
OS: Any   

Description Soren Spies 2002-06-19 18:00:01 UTC 
The access(2) man page has a warning about how "access(2) is a security hole and should never be used."  It shouldn't be used to achieve its design goal: allowing a privileged process to know whether its caller has rights on a particular file, but that doesn't mean it should _never_ be used.

In a non-privileged situation where you are just curious if something exists (and for some reason don't want to let the failure of a normal system call let you know it has gone missing, or doesn't have write permission any more, etc), access(2) is a perfectly reasonable mechanism ... especially if you don't want to decipher the bits in stat(2) to try and guess whether or not future syscalls to read/write will fail.

Given the existence of access(1), it seems FreeBSD itself is using access(2) for something ... programmers might like to do the same and shouldn't be frightened away by the CAVEAT section.  There is also some discussion online (eg. http://www.geocrawler.com/archives/3/91/1994/10/50/177659/) about how access(2) is really only a problem for SUID applications.

Fix: 

The warning could perhaps read "programs should never make access decisions based upon access(2) nor should setUID programs rely on access() in any way."
How-To-Repeat: man 2 access
see CAVEAT section
be frightened away from an otherwise useful syscall that would help program writers display access hints about a directory on filesystems where it's hard to decipher the bits yourself.  This is particularly useful for GUIs (and came up when trying to convince the Mac OS X Finder use access(2) to be usable with AFS volumes).
Comment 1 Soren Spies 2003-07-10 03:16:58 UTC 
I've noticed in FreeBSD 5.1 that we have eaccess(2) as well as a much 
better warning in the man page (explaining the tradeoffs, but still 
saying "never").

I propose the following patch:
diff -u access.2.orig access.2
--- access.2.orig       Wed Jul  9 17:16:34 2003
+++ access.2    Wed Jul  9 17:23:46 2003
@@ -144,6 +144,15 @@
  .Fn eaccess
  system call
  likewise may be subject to races if used inappropriately.
+.Pp
+.Fn access
+remains useful for providing clues to users as to whether operations
+make sense for particular filesystem objects (e.g. 'delete' menu
+item only highlighted in a writable folder ... avoiding interpretation
+of the st_mode bits that the application might not understand --
+e.g. in the case of AFS).  It also allows a cheaper file existance
+test than
+.Ns Xr stat 2 .
  .Sh SEE ALSO
  .Xr chmod 2 ,
  .Xr intro 2 ,



--
Soren Spies
Apple Computer, Inc.
Comment 2 dfilter service freebsd_committer freebsd_triage 2007-12-08 22:50:41 UTC 
remko       2007-12-08 22:50:35 UTC

  FreeBSD src repository

  Modified files:
    lib/libc/sys         access.2 
  Log:
  Make the warning a bit less 'broad' then it used to be.  The access
  is seems to be a problem for SUID applications, which we like to
  prevent as much as possible.
  
  PR:             docs/39530
  Submitted by:   Soren Spies <sspies at apple dot com>
  MFC After:      3 days
  
  Revision  Changes    Path
  1.20      +10 -1     src/lib/libc/sys/access.2
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 3 Remko Lodder freebsd_committer freebsd_triage 2007-12-08 22:50:46 UTC 
State Changed
From-To: open->patched

Patched in -CURRENT 
Take ownership of the PR
Comment 4 Remko Lodder freebsd_committer freebsd_triage 2007-12-08 22:50:46 UTC 
Responsible Changed
From-To: freebsd-doc->remko

Patched in -CURRENT 
Take ownership of the PR
Comment 5 dfilter service freebsd_committer freebsd_triage 2008-02-10 12:27:38 UTC 
remko       2008-02-10 12:27:33 UTC

  FreeBSD src repository

  Modified files:        (Branch: RELENG_7)
    lib/libc/sys         access.2 
  Log:
  MFC rev 1.20 access.2
  
    Make the warning a bit less 'broad' then it used to be. The access
    is seems to be a problem for SUID applications, which we like to
    prevent as much as possible.
  
    PR: docs/39530
    Submitted by: Soren Spies <sspies at apple dot com>
    MFC After: 3 days
  
  Revision  Changes    Path
  1.19.2.1  +10 -1     src/lib/libc/sys/access.2
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 6 dfilter service freebsd_committer freebsd_triage 2008-02-10 12:28:37 UTC 
remko       2008-02-10 12:28:30 UTC

  FreeBSD src repository

  Modified files:        (Branch: RELENG_6)
    lib/libc/sys         access.2 
  Log:
  MFC rev 1.20 access.2
  
    Make the warning a bit less 'broad' then it used to be. The access
    is seems to be a problem for SUID applications, which we like to
    prevent as much as possible.
  
    PR: docs/39530
    Submitted by: Soren Spies <sspies at apple dot com>
    MFC After: 3 days
  
  Revision   Changes    Path
  1.18.12.1  +10 -1     src/lib/libc/sys/access.2
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
Comment 7 Remko Lodder freebsd_committer freebsd_triage 2008-02-10 12:28:44 UTC 
State Changed
From-To: patched->closed

MFC'ed to relevant branches, thanks for the submission!
Comment 8 dfilter service freebsd_committer freebsd_triage 2008-02-14 21:45:46 UTC 
remko       2008-02-14 21:45:41 UTC

  FreeBSD src repository

  Modified files:        (Branch: RELENG_7_0)
    lib/libc/sys         access.2 
  Log:
  MFC rev 1.20 to 1.23 access.2
  
    v1.23
    After issueing a ntpdate [1] I noticed it's already 2008, reflect that
    in the last modified date.
  
    Noticed by:   brueffer [1]
  
    v1.22
    Fix typo (s/existance/existence/)
  
    Noticed by:   ceri
  
    v1.21
    Fix some style nits.
  
    Prodded by:   brueffer
    MFC After:    3 days
  
    v1.20
    Make the warning a bit less 'broad' then it used to be.  The access
    is seems to be a problem for SUID applications, which we like to
    prevent as much as possible.
  
    PR:           docs/39530
    Submitted by: Soren Spies <sspies at apple dot com>
    MFC After:    3 days
  
  Approved by:    re (bmah)
  
  Revision  Changes    Path
  1.19.4.1  +10 -1     src/lib/libc/sys/access.2
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"