Bug in tempnam(3) function

[Don Lewis]

In article <2077 at polari.UUCP> 6sigma2 at polari.UUCP (Brian Matthews) writes:
>In article <433 at mtndew.UUCP> friedl at mtndew.UUCP (Stephen J. Friedl) writes:
>|Email will get a pretty detailed note on why
>|access(2) is evil.

Would using stat(2), and checking if the uids/gids match and looking
at the permission bits have been better?  Should the effective or
real ids have be used?

>
>I wouldn't go that far.  Access(2) is quite necessary for certain things.
>Unfortunately, it could probably have a better name, and the manual page
>(at least all the ones I've seen) doesn't do a great job of indicating
>when it should and shouldn't be used, so lots of people (evidently
>including whoever wrote tempnam(3) :-)) misuse it.  This doesn't mean
>that access(2) is evil though.
>

I agree that access(2) is very useful.  I have seen a lot of objections
to its use in programs because of what how it interacts with set[ug]id'ness,
but all the examples I have seen have are not (and have no business
being) set[ug]id.  Even if a program is set[ug]id, I believe that
access(2) is still very useful, because it returns the file accessability
for the actual user running the program (assuming the program doesn't
fiddle with the real [ug]id).  For example, if a setuid root program
which uses access(2) to check for valid write access to a file before
fopen()ing it for writing will not overwrite any files that the user
does not actually have write permission for.

Using access(2) propery in a set[ug]id situation is a bit tricky, and
should be better documented.  Any library routines that use access(2)
or other validation methods should be documented as to exactly how they
behave.  The proper validation method depends on the circumstances.
--
Don "Truck" Lewis                      Harris Semiconductor
Internet:  del at mlb.semi.harris.com     PO Box 883   MS 62A-028
Phone:     (407) 729-5205              Melbourne, FL  32901