access¶
Intro¶
access - check user's permissions to a file
Description¶
The access system call checks if the calling process can access the file pathname. It takes in two parameters: the pathname and the mode of the access being checked. It returns 0 if the user has permission and -1 if the user does not have permission. The access mode argument specifies which permissions should be checked. The different modes are defined in <fcntl.h>.
The access system call can be used to check access permissions prior to attempting to open a file or directory. This provides an additional layer of security because it can be used to minimize the potential of TOCTOU attacks.
Arguments¶
pathname:const char*[KU] - pathname of the file being accessedmode:int[K] - mode of access being tested, defined infcntl.h
Available Tags¶
- K - Originated from kernel-space.
- U - Originated from user space (for example, pointer to user space memory used to get it)
Hooks¶
sys_access¶
Type¶
Kprobes
Purpose¶
To trace access system call.
Example Use Case¶
The access system call could be used in order to implement a security policy in an application. For example, an application may require certain users to be members of a specific group in order to access certain files. The application could call access prior to attempting to access or open a file in order to check if the user has permission to access the requested file.
Issues¶
The access system call is vulnerable to TOCTOU (time of check, time of use) attacks. That is, the permission of the requested file can change between the time it was checked and the time of use.
Related Events¶
- open - to open the file if the user has permission
- stat - to query file status, including the owner and group of the file
This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.