Examine programs outside of OpenBSD base. Time of Check before Time of Use is normally avoided in OpenBSD base. CAVEATS access() and faccessat() should never be used for actual access control. Doing so can result in a time of check vs. time of use security hole. The outside world does things... differently... TOC TOC TOC TOC... TOU Unfortunately software isn't always written to simply open what it needs and use it. access stat realpath Many things expect stat() and access() to work. Our own realpath() call stats its way down a path to resolve symlinks.. more on links in a bit...