[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: /proc filesystem allows bypassing directory permissions on Linux

Pavel Machek wrote:
>On Sat 2009-10-24 01:12:51, Dan Yefimov wrote:
>> On 24.10.2009 0:35, Matthew Bergin wrote:
>> >doesnt look like the original owner is trying to write to it. Shows it
>> >cant, it had guest write to it via the proc folders bad permissions.
>> >Looks legitimate
>> >
>> Please tell me, who issued 'chmod 0666 unwritable_file'? Was that an
>> attacker? No, that was the owner of 'unwritable_file', nobody else.
>> What the 0666 file mode means? It means, that everybody can write to
>> the file, can't he? So why do you believe that pretension
>> legitimate?
>Original owner did chmod 666... after making sure traditional unix
>permissions protect the file. Please look at original mail; it was
>subtle but I believe I got it right, and file would not be writable
>with /proc unmounted.

In Solaris, you don't have permission to access a file in /proc/<pid>/fd unless
you can control the process <pid>.

$ ls -l /proc/1/fd
/proc/1/fd: Permission denied

If you can control <pid>, then clearly you have access the file anyway 
simply by controlling it using a debugger.

I agree with Pavel's assessment here.