# Exploit access() with Symlinks By [int0x33](https://paragraph.com/@int0x33) · 2021-11-17 --- ### About access() The _access()_ system call checks the accessibility of the file specified in _pathname_ based on a process’s real user and group IDs (and supplementary group IDs). #include int access(const char *pathname, int mode); If _pathname_ is a symbolic link, _access()_ dereferences it. If all of the permissions specified in _mode_ are granted on _pathname_, then _access()_ returns 0; if at least one of the requested per- missions is not available (or an error occurred), then _access()_ returns –1. ### The Issue The time gap between a call to _access()_ and a subsequent operation on a file means that there is no guarantee that the information returned by _access()_ will still be true at the time of the later operation (no matter how brief the interval). This situation could lead to security holes in some application designs. ### Example Suppose, for example, that we have a set-user-ID-_root_ program that uses _access()_ to check that a file is accessible to the real user ID of the program, and, if so, per- forms an operation on the file (e.g., _open()_ or _exec()_). The problem is that if the pathname given to _access()_ is a symbolic link, and a malicious user manages to change the link so that it refers to a different file before the second step, then the set-user-ID-_root_ may end up operating on a file for which the real user ID does not have permission. (This is an example of the type of time-of-check, time-of-use race condition described in Section 38.6.) For this reason, recommended practice is to avoid the use of _access()_ all together(see, for example, \[Borisov, 2005\]). In the example just given, we can achieve this by temporarily changing the effective (or file system) user ID of the set-user-ID process, attempting the desired operation (e.g., _open()_ or _exec()_), and then checking the return value and _error-no (errno)_ to determine whether the operation failed because of permission issue. --- *Originally published on [int0x33](https://paragraph.com/@int0x33/exploit-access-with-symlinks)*