[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: /proc filesystem allows bypassing directory permissions on Linux
On Sat 2009-10-24 01:24:49, Dan Yefimov wrote:
> On 24.10.2009 1:08, Pavel Machek wrote:
> >>That can hardly be called a real security hole, since the behaviour
> >>described above is expected, and is as it was conceived by design.
> >>If the file owner in fact allows writing to it, why should Linux
> >>prevent that from happening?
> >No, I do not think this is expected. You could not write to that file
> >under traditional unix, and you can not write into that file when
> >/proc is unmounted.
> >I do not think mounting /proc should change access control semantics.
> It didn't in fact change anything. If the guest created hardlink to
> that file in a unrestricted location, what would you say? Procfs is
> in that respect just another sort of hardlinks, whether you like
> that or not. If you didn't in fact restrict an access to the file,
> you're on your own.
Now... go back to my original email:
%pavel@toy:/tmp/my_priv$ chmod 700 .
%# relax file permissions, directory is private, so this is safe
%# check link count on unwritable_file. We would not want someone
%# to have a hard link to work around our permissions, would we?
%pavel@toy:/tmp/my_priv$ chmod 666 unwritable_file
Yes, you are right, open file descriptor acts as a kind of hardlink
here. Except that
a) this kind of hardlink does not exist when /proc is mounted (and on
b) unlike other hardlinks, you can't see it on the link count
(and c) writing to file descriptor opened read-only is bad).
> >Plus, you may run traditional unix/POSIX application, expecting
> >directory access controls to prevent the write. (Or can you see a way
> >to write to that file when /proc is unmounted?)
> Directory permissions control an access just to the directory
> itself, not to the files in it, so your pretensions are in fact
Demonstrate how to get access to the file with /proc unmounted and you
have a point. Demonstrate how to get access on anything else then
Linux and you have a point. Otherwise there's a security hole.
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html