Re: /proc filesystem allows bypassing directory permissions on Linux



On Mon 2009-10-26 18:11:56, Dan Yefimov wrote:
On 26.10.2009 18:06, Pavel Machek wrote:
On Mon 2009-10-26 15:37:50, Dan Yefimov wrote:
On 26.10.2009 13:54, psz@xxxxxxxxxxxxxxxxx wrote:
Dear Dan,

... in authentic kernels /proc/<PID>/fd/<FD> are symlinks ...

They appear to /bin/ls as symlinks, but observation suggests that they
"act" as hardlinks. Could that be fixed somehow? (I did look at the
kernel fs/proc/base.c but did not make much sense to me...)

Just looked more carefully at fs/proc/base.c. That behavior is due
to proc_fd_info() called from proc_fd_link() obtains file->f_path,
that in turn contains the reference to the open file dentry and
hence inode. That's exactly why those symlinks behave as hardlinks.
This behavior assumes, that if you were able to open the file,
you've all necessary transition permissions to access it's inode.
But in order to follow them you need privileges to read the process
memory, which hardly restricts the impact of this behavior. I don't
think this should be fixed, since /proc/<PID>/fd/ is mainly for
debugging purposes.

guest certianly does not have permission to ptrace() pavel's
processes, so...

But guest has permissions to ptrace() his own processes. If we
remember your original report, he abuses input redirection of bash
run by himself. So again, there's no real security hole here.

guest abuses ptrace permissions on his own processes to write to
pavel's files... no, that obviously is not security hole :-).

Whatever. I agree that it is obscure, but I believe that it is
security problem, and the one that should be fixed. By now, someone is
probably working for a fix. (I took a stab at patching kernel, too).

We probably should not continue this debate on bugtraq. Enough was
said already, and right people are probably already aware of this
issue.

(The debate is still relevant on lkml, so lets continue discussion
there).
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html



Relevant Pages

  • Re: /proc filesystem allows bypassing directory permissions on Linux
    ... "act" as hardlinks. ... Could that be fixed somehow? ... kernel fs/proc/base.c but did not make much sense to me...) ...
    (Bugtraq)
  • Re: whats next for the linux kernel?
    ... `ls -l' can show you the complete permissions of a lot of files in a few ... permission and some of the inheritees' permissions might suddenly make ... including UTF-8 canoncalization code, inside the kernel. ... complex and thus, when they *do* fail, the failures are correspondingly ...
    (Linux-Kernel)
  • Re: scanning sysfs to populate /dev
    ... | perspective there doesn't seem to be a way to acquire permissions data. ... | if you have to compile it into the kernel image. ... The config file could be done, but it is just a different way ... | filesystems why would you need to do anything more from early userspace when you ...
    (comp.os.linux.development.system)
  • Re: [RFC] FUSE permission modell (Was: fuse review bits)
    ... >> root is denied all access. ... and the kernel checks the permission. ... The userspace can't enforce the permissions. ...
    (Linux-Kernel)
  • Re: scanning sysfs to populate /dev
    ... the kernel only deals with devices by their device code. ... > Having a device namespace in the kernel, is a departure from that philosophy. ... > external policy, and now it is migrating to device drivers. ... permissions for any nodes it just creates them with the default permissions ...
    (comp.os.linux.development.system)