trusted_for() bounces off the merge window

Posted Apr 28, 2022 7:36 UTC (Thu) by arnout (subscriber, #94240)
Parent article: trusted_for() bounces off the merge window

How is access() or faccessat2() supposed to be used safely? Is there a way to avoid the TOCTOU that is mentioned in the man page?

Warning: Using these calls to check if a user is authorized to, for example, open a file before actually doing so using open(2) creates a security hole, because the user might exploit the short time interval between checking and opening the file to manipulate it. For this reason, the use of this system call should be avoided. (In the example just described, a safer alternative would be to temporarily switch the process's effective user ID to the real ID and then call open(2).)