Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: /proc filesystem allows bypassing directory permissions on Linux
From: psz () maths usyd edu au
Date: Thu, 29 Oct 2009 07:04:54 +1100

Dear Dan,

You wrote:

     User1 creates file with permissions 0644
                     User2 opens file for read access on file descriptor 4
     User1 chmod's directory to 0700
     User1 verifies no hard links to file

Here's a window, during which User2 is able to create a hardlink and that will 
remain unnoticed by User1. There's no way to perform link check and 
conditionally do chmod in an atomic manner.

After the directory is mode 700, User2 cannot create hardlinks. There is
no window. Checking link counts anytime after the directory has been
secured, is fine.

---

Looking at older pronouncements:

http://www.securityfocus.com/archive/1/507448
in authentic kernels /proc/<PID>/fd/<FD> are symlinks, not anything other.

http://www.securityfocus.com/archive/1/507426
Just looked more carefully at fs/proc/base.c. That behavior is due to
proc_fd_info() called from proc_fd_link() obtains file->f_path, that in turn
contains the reference to the open file dentry and hence inode. That's exactly
why those symlinks behave as hardlinks. ...
... I don't think this should be fixed ...

There is a self-contradiction, and a problem which might be fixed. Only
matter for debate (by opinionated people) is whether it should be fixed.

Cheers, Paul

Paul Szabo   psz () maths usyd edu au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]