From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1750807AbVIFTC5 (ORCPT ); Tue, 6 Sep 2005 15:02:57 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1750806AbVIFTC5 (ORCPT ); Tue, 6 Sep 2005 15:02:57 -0400 Received: from zeniv.linux.org.uk ([195.92.253.2]:1930 "EHLO ZenIV.linux.org.uk") by vger.kernel.org with ESMTP id S1750807AbVIFTC4 (ORCPT ); Tue, 6 Sep 2005 15:02:56 -0400 Date: Tue, 6 Sep 2005 20:02:55 +0100 From: viro@ZenIV.linux.org.uk To: Frank van Maarseveen Cc: linux-kernel@vger.kernel.org Subject: Re: 2.6.13: can kill X server but readlink of /proc//exe et. al. says EACCES. feature? Message-ID: <20050906190255.GB5155@ZenIV.linux.org.uk> References: <20050906175349.GA390@janus> <20050906175737.GY5155@ZenIV.linux.org.uk> <20050906185041.GA728@janus> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20050906185041.GA728@janus> User-Agent: Mutt/1.4.1i Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Sep 06, 2005 at 08:50:41PM +0200, Frank van Maarseveen wrote: > On Tue, Sep 06, 2005 at 06:57:37PM +0100, viro@ZenIV.linux.org.uk wrote: > > On Tue, Sep 06, 2005 at 07:53:49PM +0200, Frank van Maarseveen wrote: > > > While I have access to /proc/, readlink fails with EACCES on > > > > > > /proc//exe > > > /proc//cwd > > > /proc//root > > > > > > even when I own though it runs with a different effective/saved/fs > > > uid such as the X server. This is a bit uncomfortable and doesn't > > > seem right. > > > > > > Or is this to make /proc mounting inside a chroot jail safe? > > > > suid-root task does chdir() to place you shouldn't be able to access. > > You do cd /proc//cwd and get there anyway. Bad Things Happen... > > Ok, but being able to do readlink() does not mean that one can chdir(), > usually. follow_link on these guys does _not_ traverse parent directories. So chdir() checks are more relaxed that way. Even if we made checks on readlink work differently, we would still get an information leak - e.g. if task had created a directory with pathname derived from sensitive data and did chdir there. Being able to kill a task != being able to see pieces of its state...