On Mon, Feb 01, 2016 at 10:45:56AM +0100, Pavel Reichl wrote:
I thought you were going to use 'fd' for return value of
open(). I still think access() would be better function to use. We would not need to care
about file descriptor at all.
It's a bit nit-picking but access() only checks if you are allowed to
access the file in the requested way not if you are really able to do
it. E.g. although the file-permission allows you to do so the SELinux
policy might prevent you from actually open the file.
Additionally from the access(3) man page "Warning: Using these calls to
check if a user is authorized to, for example, open a file before
actually doing so using open(2) creates a security hole, because the
user might exploit the short time interval between checking and opening
the file to manipulate it. For this reason, the use of this system call
should be avoided. (In the example just described, a safer alternative
would be to temporarily switch the process's effective user ID to the
real ID and then call open(2).)"
bye,
Sumit
> _______________________________________________
> sssd-devel mailing list
> sssd-devel(a)lists.fedorahosted.org
>
https://lists.fedorahosted.org/admin/lists/sssd-devel@lists.fedorahosted.org