Home page logo

bugtraq logo Bugtraq mailing list archives

Re: /proc filesystem allows bypassing directory permissions on Linux
From: Pavel Machek <pavel () ucw cz>
Date: Wed, 28 Oct 2009 22:27:29 +0100


That race is easily fixed.

No, you're not right.

After chmodding the directory to 0700, *first*
check the link count, *then* chmod the file to 0666:

    User1 creates file with permissions 0644
                    User2 opens file for read access on file descriptor 4
    User1 chmod's directory to 0700
    User1 verifies no hard links to file

Here's a window, during which User2 is able to create a hardlink and
that will remain unnoticed by User1. There's no way to perform link
check and conditionally do chmod in an atomic manner.

0700 on directory prevents hardlink creation, see?

pavel () amd:/tmp$ mkdir my_dir
pavel () amd:/tmp$ cd my_dir/
pavel () amd:/tmp/my_dir$ ls
pavel () amd:/tmp/my_dir$ > foo
pavel () amd:/tmp/my_dir$ chmod 700 .
pavel () amd:/tmp/my_dir$ su guest
guest () amd:/tmp/my_dir$ ln foo /tmp/bar
ln: accessing `foo': Permission denied
guest () amd:/tmp/my_dir$

You need x bit on directory to look up foo.

Excluding the /proc route, at no point during this sequence, User2 could
have opened the file for writing. Therefore, User1 expects (justified,
imo) that User2 cannot write to the file. The writability of /proc/$$/fd/4
violates this expectation.

Again, you're not right. See above.

No, he's right, see above.

(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]