Abstract

It is well known that it is insecure to use the access(2) system call in a setuid program to test for the ability of the program’s executor to access a file before opening said file. Although the access(2) call appears to have been designed exactly for this use, such use is vulnerable to a race condition. This race condition is a classic example of a time-of-check-to-time-of-use (TOCTTOU) problem. We prove the “folk theorem ” that no portable, deterministic solution exists without changes to the system call interface, we present a probabilistic solution, and we examine the effect of increasing CPU speeds on the exploitability of the attack.