* warped security
@ 2002-10-27 8:24 Albert D. Cahalan
2002-10-27 18:45 ` jw schultz
0 siblings, 1 reply; 4+ messages in thread
From: Albert D. Cahalan @ 2002-10-27 8:24 UTC (permalink / raw)
To: linux-kernel
As a non-root user:
a. I can't do readlink() on /proc/1/exe ("ls -l /proc/1/exe")
b. I can do "cat /proc/1/maps" to see what files are mapped
That's backwards. If a user can read /proc/1/cmdline, then
they might as well be permitted to readlink() on /proc/1/exe
as well. Reading /proc/1/maps is quite another matter,
exposing more info than the (prohibited) /proc/1/fd/* does.
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: warped security 2002-10-27 8:24 warped security Albert D. Cahalan @ 2002-10-27 18:45 ` jw schultz 2002-10-28 6:01 ` Albert D. Cahalan 0 siblings, 1 reply; 4+ messages in thread From: jw schultz @ 2002-10-27 18:45 UTC (permalink / raw) To: Albert D. Cahalan; +Cc: linux-kernel On Sun, Oct 27, 2002 at 03:24:28AM -0500, Albert D. Cahalan wrote: > > As a non-root user: > > a. I can't do readlink() on /proc/1/exe ("ls -l /proc/1/exe") > b. I can do "cat /proc/1/maps" to see what files are mapped > > That's backwards. If a user can read /proc/1/cmdline, then > they might as well be permitted to readlink() on /proc/1/exe > as well. Reading /proc/1/maps is quite another matter, > exposing more info than the (prohibited) /proc/1/fd/* does. It seems to have been this way since at least 2.2. It isn't exclusive to the /proc/*/exe. It applies to all symlinks in /proc/$pid. As near as i can tell it seems to be a functional-equivalency carryover from 2.2. It isn't causing much harm but i do wonder if this is intentional and if so, why. I'm at a loss to see why refusing to allow non-owners to identify a process's cwd, exe, and root would be desireable. The only other things we refuse are mem, fd/ and eviron, the reasons for which are obvious and the restrictions are per-file rather than as a class. -- ________________________________________________________________ J.W. Schultz Pegasystems Technologies email address: jw@pegasys.ws Remember Cernan and Schmitt ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: warped security 2002-10-27 18:45 ` jw schultz @ 2002-10-28 6:01 ` Albert D. Cahalan 2002-10-28 7:50 ` jw schultz 0 siblings, 1 reply; 4+ messages in thread From: Albert D. Cahalan @ 2002-10-28 6:01 UTC (permalink / raw) To: jw schultz; +Cc: Albert D. Cahalan, linux-kernel jw schultz writes: > On Sun, Oct 27, 2002 at 03:24:28AM -0500, Albert D. Cahalan wrote: >> As a non-root user: >> >> a. I can't do readlink() on /proc/1/exe ("ls -l /proc/1/exe") >> b. I can do "cat /proc/1/maps" to see what files are mapped >> >> That's backwards. If a user can read /proc/1/cmdline, then >> they might as well be permitted to readlink() on /proc/1/exe >> as well. Reading /proc/1/maps is quite another matter, >> exposing more info than the (prohibited) /proc/1/fd/* does. > > It seems to have been this way since at least 2.2. It isn't > exclusive to the /proc/*/exe. It applies to all symlinks in > /proc/$pid. Guessing: 1. readlink and follow permissions were not distinct 2. symlink following in /proc wasn't done normally 3. therefore, readlink implied access to the target's data Rather than fix #1 or #2, readlink() got restricted. > As near as i can tell it seems to be a > functional-equivalency carryover from 2.2. It isn't causing > much harm but i do wonder if this is intentional and if so, > why. I'm at a loss to see why refusing to allow non-owners > to identify a process's cwd, exe, and root would be > desireable. The only other things we refuse are mem, fd/ > and eviron, the reasons for which are obvious and the > restrictions are per-file rather than as a class. Being able to readlink() in the fd directory is much less revealing than the content of the maps file. IMHO both of them should be restricted, but the "maps" file matters more. Just look at this: cat /proc/1/maps This all looks completely mixed up. Users SHOULD NOT be able to read /proc/1/maps, but SHOULD be able to readlink at least any /proc/1/* symlink that has meaning in the current namespace. (so not if the observer is in a chroot environment) ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: warped security 2002-10-28 6:01 ` Albert D. Cahalan @ 2002-10-28 7:50 ` jw schultz 0 siblings, 0 replies; 4+ messages in thread From: jw schultz @ 2002-10-28 7:50 UTC (permalink / raw) To: linux-kernel On Mon, Oct 28, 2002 at 01:01:02AM -0500, Albert D. Cahalan wrote: > jw schultz writes: > > On Sun, Oct 27, 2002 at 03:24:28AM -0500, Albert D. Cahalan wrote: > > >> As a non-root user: > >> > >> a. I can't do readlink() on /proc/1/exe ("ls -l /proc/1/exe") > >> b. I can do "cat /proc/1/maps" to see what files are mapped > >> > >> That's backwards. If a user can read /proc/1/cmdline, then > >> they might as well be permitted to readlink() on /proc/1/exe > >> as well. Reading /proc/1/maps is quite another matter, > >> exposing more info than the (prohibited) /proc/1/fd/* does. > > > > It seems to have been this way since at least 2.2. It isn't > > exclusive to the /proc/*/exe. It applies to all symlinks in > > /proc/$pid. > > Guessing: > > 1. readlink and follow permissions were not distinct > 2. symlink following in /proc wasn't done normally > 3. therefore, readlink implied access to the target's data > > Rather than fix #1 or #2, readlink() got restricted. That is my guess regarding 2.2 (and earlier). 2.4 and future it is explicitly tested in proc_fd_readlink() which only applies to the links in /proc/$pid > > As near as i can tell it seems to be a > > functional-equivalency carryover from 2.2. It isn't causing > > much harm but i do wonder if this is intentional and if so, > > why. I'm at a loss to see why refusing to allow non-owners > > to identify a process's cwd, exe, and root would be > > desirable. The only other things we refuse are mem, fd/ > > and eviron, the reasons for which are obvious and the > > restrictions are per-file rather than as a class. > > Being able to readlink() in the fd directory is much less > revealing than the content of the maps file. IMHO both of > them should be restricted, but the "maps" file matters more. And i can so no reason why either should be restricted. There is no confidential information therein and these symlinks do not open any access that wouldn't already exist. > Just look at this: cat /proc/1/maps So what? If the reason for your post was to suggest that the maps file should be 400 then you should have said so. I don't think doing so would have any security value unless you believe in security through obscurity. The only indiscretion i can think of would be to reveal the existence of a file in a directory with --x perms (occasionally good for privacy, always poor for security) in which case you would want maps and all the /proc/$pid/* links restricted. > This all looks completely mixed up. Users SHOULD NOT be able > to read /proc/1/maps, but SHOULD be able to readlink at least > any /proc/1/* symlink that has meaning in the current namespace. > (so not if the observer is in a chroot environment) Proc mounted inside a chrooted or jailed namespace is a completely different issue. As would be the value of the links where the observed is chrooted. -- ________________________________________________________________ J.W. Schultz Pegasystems Technologies email address: jw@pegasys.ws Remember Cernan and Schmitt ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2002-10-28 7:44 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2002-10-27 8:24 warped security Albert D. Cahalan 2002-10-27 18:45 ` jw schultz 2002-10-28 6:01 ` Albert D. Cahalan 2002-10-28 7:50 ` jw schultz
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.