Home page logo

bugtraq logo Bugtraq mailing list archives

Re: /proc filesystem allows bypassing directory permissions on Linux
From: CaT <cat () zip com au>
Date: Thu, 29 Oct 2009 08:58:37 +1100

On Tue, Oct 27, 2009 at 03:34:04PM -0500, Derek Martin wrote:
$ mkdir foo
$ cd foo
$ echo hi > bar
$ ls -la
total 12
drwxr-xr-x  2 user1 group1 4096 2009-10-27 16:22 ./
drwx------ 57 user1 group1 4096 2009-10-27 16:22 ../
-rw-r--r--  1 user1 group1    3 2009-10-27 16:22 bar
$ chmod 000 .
$ echo bye > bar
-bash: bar: Permission denied

I think that fails because you've removed the search bits from the dir so
bash no longer has permissions to -find- the file. Eg:

$ mkdir test
$ cd test
$ echo moo >cow
$ chmod 600 .
$ echo meow >cow
bash: cow: Permission denied

The problem with the /proc interface is:

 - it is automatic (if /proc is mounted)
 - its file access semantics are not identical to the rest of the file system
   (e.g. they are not really symlinks, and they are not really hard
   links, and the link count is not incremented, and the average
   person will have no idea about their semantics).
 - it creates a pseudo-link with permissions which do not regard the directory
   access controls the user had to pass authorization checks to gain access.

Would the file descriptor work differently if the program that opened the
file changed it after the victim changed the permissions on the directory?
It should be noted that 2 users have access to /proc/$pid/fd/$fd - the 
user the program is running as and root (at least that is the case on my
linux system).

  "A search of his car uncovered pornography, a homemade sex aid, women's 
  stockings and a Jack Russell terrier."
    - http://www.news.com.au/story/0%2C27574%2C24675808-421%2C00.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]