Skip to content

faccessat

Intro

faccessat - Tests the accessibility of the file or directory referred to by file descriptor

Description

The faccessat function checks whether the current user can access the file referred to by the file descriptor dirfd and pathname. It checks for the type of access indicated by mode, which is either F_OK (file existence check), R_OK (read permission check), W_OK (write permission check), or X_OK (execute permission check). The flags argument allows additional enhancements to the permission check. If pathname is an empty string, faccessat will check for the same permission in the directory referred to by dirfd.

This function is useful when you want to check permissions of a file before opening it, in order to avoid any security issues related to time-of-check to time-of-use (TOCTOU) vulnerabilities.

Arguments

  • dirfd: int - File descriptor of the directory containing the file to be checked
  • pathname: const char* - Relative or absolute pathname of the file to be checked
  • mode: int - Type of access to be checked, can be one of:
  • F_OK - Permission existence check.
  • R_OK - read permission check.
  • W_OK - write permission check.
  • X_OK - execute permission check.
  • flags: int[U,OPT] - Allows additional enhancements to the permission check. Currently only 0 and AT_EACCESS are supported.

Available Tags

  • K - Originated from kernel-space.
  • U - Originated from user space (for example, pointer to user space memory used to get it)
  • TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
  • OPT - Optional argument - might not always be available (passed with null value)

Hooks

sys_faccessat

Type

Kprobes + Kretprobes

Purpose

To capture syscalls made by processes and any errors that occur.

Example Use Case

One possible use case is to monitor user account permissions. This could be particularly useful for security monitoring of users and applications by using the faccessat syscall to check for allowed or denied access to files.

Issues

There are potential TOCTOU (Time-of-check to Time-of-use) vulnerabilities associated with faccessat, as the permission check done by the syscall is not atomic, i.e. it can lead to inconsistent results because if permission is granted when checked, but then has changed to denied before the file is actually used, then the permission check may not be reliable.

  • openat: Used for opening files, and may be used in conjunction with faccessat to safely open files.
  • stat: Used for getting information about files, and can be useful to check for permission changes between checks done by the faccessat syscall.

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.