Home page logo

bugtraq logo Bugtraq mailing list archives

Re: /proc filesystem allows bypassing directory permissions on Linux
From: Pavel Machek <pavel () ucw cz>
Date: Thu, 29 Oct 2009 20:20:51 +0100

On Thu 2009-10-29 18:24:01, Dan Yefimov wrote:
On 29.10.2009 0:27, Pavel Machek wrote:
That race is easily fixed.

No, you're not right.

After chmodding the directory to 0700, *first*
check the link count, *then* chmod the file to 0666:

     User1 creates file with permissions 0644
                     User2 opens file for read access on file descriptor 4
     User1 chmod's directory to 0700
     User1 verifies no hard links to file

Here's a window, during which User2 is able to create a hardlink and
that will remain unnoticed by User1. There's no way to perform link
check and conditionally do chmod in an atomic manner.

0700 on directory prevents hardlink creation, see?

Do you still remember about openat()? If the directory was created with 

No, you said you can do hardlink, and you can't. Try
it. openat(O_SEARCH) does not seem to exist.  

0700 mode from the origin, you would be right, and procfs wouldn't
opening files in that directory too, but if you let others to traverse 
that directory and open your believed to be secure files from the origin, 
it's your fault.

I can do the example with fd passing and 700 directory, but it would
be lot of C code. Feel free to play, my example was not nearly the
only way to demonstrate it, and no, it was not racy.
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]