Re: procfs: boot- and runtime configurable access mode for /proc/<pid> dirs

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Al Viro <viro@ZenIV.linux.org.uk>
To: Daniel Reichelt <debian@nachtgeist.net>
Cc: linux-kernel@vger.kernel.org
Subject: Re: procfs: boot- and runtime configurable access mode for /proc/<pid> dirs
Date: Thu, 24 Mar 2011 20:37:58 +0000	[thread overview]
Message-ID: <20110324203758.GF22723@ZenIV.linux.org.uk> (raw)
In-Reply-To: <4D8B991E.5070604@nachtgeist.net>

On Thu, Mar 24, 2011 at 08:18:54PM +0100, Daniel Reichelt wrote:
> Well, my patch is about modes of the pid-dirs themselves, not their
> contents. And it changes procfs' behaviour about modes both on initial
> creation and during revalidation on access. However flattening all the
> piddir's entries DOES pose a security risk. Have a look at the
> "traditional behaviour": piddir world-readable, however e.g.
> <pid>/environ isn't. Often it's a workaround for broken software to
> specify a password within an environment variable instead of by cmdline.
> Since up until now all processes including their full cmdlines are
> visible to everyone, environ must be considered more sensitive than a
> cmdline.

Bull.  /proc/<pid>/foo contents is sensitive, your patch doesn't do
you any good.  fork(), open /proc/<child's PID>/foo in parent, then
exec suid-root binary in child.  At that point mode_t of any files
or directories does not matter anymore.

You *must* do whatever access checks at read(2) time for these files.
And if you do that, the checks at open(2) time do not matter.

In particular, /proc/*/environ does ptrace_may_access() on read(2) (with
a race fixed by today's merge, BTW).  It could very well be r--r--r--;
having it r-------- does not increase security at all.

next prev parent reply	other threads:[~2011-03-24 20:38 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2011-03-24  4:09 procfs: boot- and runtime configurable access mode for /proc/<pid> dirs Daniel Reichelt
2011-03-24  7:32 ` Alexey Dobriyan
2011-03-24  8:41   ` Daniel Reichelt
2011-03-24 18:22     ` Alexey Dobriyan
2011-03-24 18:44       ` Al Viro
2011-03-24 18:49       ` Daniel Reichelt
2011-03-24 19:18       ` Daniel Reichelt
2011-03-24 20:37         ` Al Viro [this message]
2011-03-25 21:24           ` Christian Kujau
2011-05-26 10:56             ` Al Viro

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20110324203758.GF22723@ZenIV.linux.org.uk \
    --to=viro@zeniv.linux.org.uk \
    --cc=debian@nachtgeist.net \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.