2.6.13: can kill X server but readlink of /proc/<pid>/exe et. al. says EACCES. feature?

2.6.13: can kill X server but readlink of /proc/<pid>/exe et. al. says EACCES. feature?

[Frank van Maarseveen]

While I have access to /proc/<pid>, readlink fails with EACCES on

	/proc/<pid>/exe
	/proc/<pid>/cwd
	/proc/<pid>/root

even when I own <pid> though it runs with a different effective/saved/fs
uid such as the X server. This is a bit uncomfortable and doesn't
seem right.

Or is this to make /proc mounting inside a chroot jail safe?

-- 
Frank

Re: 2.6.13: can kill X server but readlink of /proc/<pid>/exe et. al. says EACCES. feature?

[viro]

On Tue, Sep 06, 2005 at 07:53:49PM +0200, Frank van Maarseveen wrote:
> While I have access to /proc/<pid>, readlink fails with EACCES on
> 
> 	/proc/<pid>/exe
> 	/proc/<pid>/cwd
> 	/proc/<pid>/root
> 
> even when I own <pid> though it runs with a different effective/saved/fs
> uid such as the X server. This is a bit uncomfortable and doesn't
> seem right.
> 
> Or is this to make /proc mounting inside a chroot jail safe?

suid-root task does chdir() to place you shouldn't be able to access.
You do cd /proc/<pid>/cwd and get there anyway.  Bad Things Happen...

Re: 2.6.13: can kill X server but readlink of /proc/<pid>/exe et. al. says EACCES. feature?

[Frank van Maarseveen]

On Tue, Sep 06, 2005 at 06:57:37PM +0100, viro@ZenIV.linux.org.uk wrote:
> On Tue, Sep 06, 2005 at 07:53:49PM +0200, Frank van Maarseveen wrote:
> > While I have access to /proc/<pid>, readlink fails with EACCES on
> > 
> > 	/proc/<pid>/exe
> > 	/proc/<pid>/cwd
> > 	/proc/<pid>/root
> > 
> > even when I own <pid> though it runs with a different effective/saved/fs
> > uid such as the X server. This is a bit uncomfortable and doesn't
> > seem right.
> > 
> > Or is this to make /proc mounting inside a chroot jail safe?
> 
> suid-root task does chdir() to place you shouldn't be able to access.
> You do cd /proc/<pid>/cwd and get there anyway.  Bad Things Happen...

Ok, but being able to do readlink() does not mean that one can chdir(),
usually.

-- 
Frank

Re: 2.6.13: can kill X server but readlink of /proc/<pid>/exe et. al. says EACCES. feature?

[viro]

On Tue, Sep 06, 2005 at 08:50:41PM +0200, Frank van Maarseveen wrote:
> On Tue, Sep 06, 2005 at 06:57:37PM +0100, viro@ZenIV.linux.org.uk wrote:
> > On Tue, Sep 06, 2005 at 07:53:49PM +0200, Frank van Maarseveen wrote:
> > > While I have access to /proc/<pid>, readlink fails with EACCES on
> > > 
> > > 	/proc/<pid>/exe
> > > 	/proc/<pid>/cwd
> > > 	/proc/<pid>/root
> > > 
> > > even when I own <pid> though it runs with a different effective/saved/fs
> > > uid such as the X server. This is a bit uncomfortable and doesn't
> > > seem right.
> > > 
> > > Or is this to make /proc mounting inside a chroot jail safe?
> > 
> > suid-root task does chdir() to place you shouldn't be able to access.
> > You do cd /proc/<pid>/cwd and get there anyway.  Bad Things Happen...
> 
> Ok, but being able to do readlink() does not mean that one can chdir(),
> usually.

follow_link on these guys does _not_ traverse parent directories.  So chdir()
checks are more relaxed that way.  Even if we made checks on readlink work
differently, we would still get an information leak - e.g. if task had
created a directory with pathname derived from sensitive data and did chdir
there.  Being able to kill a task != being able to see pieces of its state...