mailing list archives
Re: /proc filesystem allows bypassing directory permissions on Linux
From: Pavel Machek <pavel () ucw cz>
Date: Thu, 29 Oct 2009 20:20:51 +0100
On Thu 2009-10-29 18:24:01, Dan Yefimov wrote:
On 29.10.2009 0:27, Pavel Machek wrote:
That race is easily fixed.
No, you're not right.
After chmodding the directory to 0700, *first*
check the link count, *then* chmod the file to 0666:
User1 creates file with permissions 0644
User2 opens file for read access on file descriptor 4
User1 chmod's directory to 0700
User1 verifies no hard links to file
Here's a window, during which User2 is able to create a hardlink and
that will remain unnoticed by User1. There's no way to perform link
check and conditionally do chmod in an atomic manner.
0700 on directory prevents hardlink creation, see?
Do you still remember about openat()? If the directory was created with
No, you said you can do hardlink, and you can't. Try
it. openat(O_SEARCH) does not seem to exist.
0700 mode from the origin, you would be right, and procfs wouldn't
opening files in that directory too, but if you let others to traverse
that directory and open your believed to be secure files from the origin,
it's your fault.
I can do the example with fd passing and 700 directory, but it would
be lot of C code. Feel free to play, my example was not nearly the
only way to demonstrate it, and no, it was not racy.
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html