Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: /proc filesystem allows bypassing directory permissions on Linux
From: Daryl Tester <dt-bugtraq () handcraftedcomputers com au>
Date: Sat, 24 Oct 2009 12:25:42 +1030

Pavel Machek wrote:

So what did happen? User guest was able to work around directory
permissions in the background, using /proc filesystem.

guest () toy:~$ bash 3< /tmp/my_priv/unwritable_file

Although having an already open handle to the file is kind of cheating. :-)
(well, it isn't, but I think it's a mitigating factor).

# ...until we take a way around it with /proc filesystem. Oops.
guest () toy:/tmp/my_priv$ echo got you > /proc/self/fd/3

But I understand that the check on the parent directory of the file for
accessibility appears to be missing here, at least to get the same behaviour
as relative file opening.  Despite what Dan says regarding the behaviour as
"by design", I find the /proc/fd system under Linux to be, erm, "ad hoc", and
the semantics not well documented (if at all).  The Linux implementation seems
to be more "filename based" rather than file descriptor (which appears to be
the BSD model), which has tripped me up before (e.g.
<http://lkml.org/lkml/2008/8/7/25>).


--
Regards,
 Daryl Tester

"Scheme is an exotic sports car. Fast. Manual transmission. No radio.
Common Lisp is Howl's Moving Castle."
 -- Steve Yegge, comparing Lisp families to cars.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]