Re: /proc filesystem allows bypassing directory permissions on Linux

From: Pavel Machek <pavel@xxxxxx>
Date: Wed, 28 Oct 2009 22:27:29 +0100

Hi!

That race is easily fixed.

No, you're not right.

After chmodding the directory to 0700, *first*
check the link count, *then* chmod the file to 0666:

User1 creates file with permissions 0644
User2 opens file for read access on file descriptor 4
User1 chmod's directory to 0700
User1 verifies no hard links to file

Here's a window, during which User2 is able to create a hardlink and
that will remain unnoticed by User1. There's no way to perform link
check and conditionally do chmod in an atomic manner.

0700 on directory prevents hardlink creation, see?

pavel@amd:/tmp$ mkdir my_dir
pavel@amd:/tmp$ cd my_dir/
pavel@amd:/tmp/my_dir$ ls
pavel@amd:/tmp/my_dir$ > foo
pavel@amd:/tmp/my_dir$ chmod 700 .
pavel@amd:/tmp/my_dir$ su guest
Password:
guest@amd:/tmp/my_dir$ ln foo /tmp/bar
ln: accessing `foo': Permission denied
guest@amd:/tmp/my_dir$

You need x bit on directory to look up foo.

Excluding the /proc route, at no point during this sequence, User2 could
have opened the file for writing. Therefore, User1 expects (justified,
imo) that User2 cannot write to the file. The writability of /proc/$$/fd/4
violates this expectation.

Again, you're not right. See above.

No, he's right, see above.
Pavel

--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html

Follow-Ups:
- Re: /proc filesystem allows bypassing directory permissions on Linux
  - From: Dan Yefimov

References:
- Re: /proc filesystem allows bypassing directory permissions on Linux
  - From: Vincent Zweije
- Re: /proc filesystem allows bypassing directory permissions on Linux
  - From: Dan Yefimov

Prev by Date: Re: /proc filesystem allows bypassing directory permissions on Linux
Next by Date: [SECURITY] [DSA 1922-1] New xulrunner packages fix several vulnerabilities
Previous by thread: Re: /proc filesystem allows bypassing directory permissions on Linux
Next by thread: Re: /proc filesystem allows bypassing directory permissions on Linux
Index(es):
- Date
- Thread

Relevant Pages

Re: networking with different groups
... >> desired access permissions for each shared disk and folder. ... >the permissions there is no way I can see USER1. ... It's your choice whether to create 6 individual user accounts or 2 ...
(microsoft.public.windowsxp.network_web)
All or nothing NTFS permissions???
... I've added user1 and user2 as users and added them to an FTPAccounts ... the user has free reign to read/write to any sites on ... even though no other permissions have been given. ... applies even when the virtual directory points to a directory that is ...
(microsoft.public.inetserver.iis.ftp)
Re: AdminSDHolder thread - How can I block??
... a user who's a domain admin ... > wishes to grant another user (User2) "send as" permissions on his ... > User1 in effective removed from the ACL of User1. ... > be to add "send as" permissions for User2 to the AdminSDHolder ...
(microsoft.public.win2000.active_directory)
Re: change user1 access changes user2 access
... Using the public role is your problem. ... All users, whether it be User1, ... permission you are granting All users the permissions. ... > name, a password, I select a database to login to, then go ...
(microsoft.public.sqlserver.security)
Re: All or nothing NTFS permissions???
... user1 - user1 full control ... I've added user1 and user2 as users and added them to an FTPAccounts ... the user has free reign to read/write to any sites on ... even though no other permissions have been given. ...
(microsoft.public.inetserver.iis.ftp)