mailing list archives
Re: /proc filesystem allows bypassing directory permissions on Linux
From: Pavel Machek <pavel () ucw cz>
Date: Fri, 23 Oct 2009 23:56:28 +0200
On Sat 2009-10-24 01:24:49, Dan Yefimov wrote:
On 24.10.2009 1:08, Pavel Machek wrote:
That can hardly be called a real security hole, since the behaviour
described above is expected, and is as it was conceived by design.
If the file owner in fact allows writing to it, why should Linux
prevent that from happening?
No, I do not think this is expected. You could not write to that file
under traditional unix, and you can not write into that file when
/proc is unmounted.
I do not think mounting /proc should change access control semantics.
It didn't in fact change anything. If the guest created hardlink to
that file in a unrestricted location, what would you say? Procfs is
in that respect just another sort of hardlinks, whether you like
that or not. If you didn't in fact restrict an access to the file,
you're on your own.
Now... go back to my original email:
%pavel () toy:/tmp/my_priv$ chmod 700 .
%# relax file permissions, directory is private, so this is safe
%# check link count on unwritable_file. We would not want someone
%# to have a hard link to work around our permissions, would we?
%pavel () toy:/tmp/my_priv$ chmod 666 unwritable_file
Yes, you are right, open file descriptor acts as a kind of hardlink
here. Except that
a) this kind of hardlink does not exist when /proc is mounted (and on
b) unlike other hardlinks, you can't see it on the link count
(and c) writing to file descriptor opened read-only is bad).
Plus, you may run traditional unix/POSIX application, expecting
directory access controls to prevent the write. (Or can you see a way
to write to that file when /proc is unmounted?)
Directory permissions control an access just to the directory
itself, not to the files in it, so your pretensions are in fact
Demonstrate how to get access to the file with /proc unmounted and you
have a point. Demonstrate how to get access on anything else then
Linux and you have a point. Otherwise there's a security hole.
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html