From: Djalal Harouni <tixxdz@opendz.org>
To: Al Viro <viro@ZenIV.linux.org.uk>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>,
Andrew Morton <akpm@linux-foundation.org>,
Solar Designer <solar@openwall.com>,
Vasiliy Kulikov <segoon@openwall.com>,
Kees Cook <keescook@chromium.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Ingo Molnar <mingo@kernel.org>,
linux-kernel@vger.kernel.org,
kernel-hardening@lists.openwall.com
Subject: [kernel-hardening] Re: [PATCH 1/2] procfs: restore 0400 permissions on /proc/*/{syscall,stack,personality}
Date: Wed, 28 Aug 2013 21:11:42 +0100 [thread overview]
Message-ID: <20130828201141.GA21455@dztty> (raw)
In-Reply-To: <20130827172406.GA2664@dztty>
Cc'ed more people,
On Tue, Aug 27, 2013 at 06:24:06PM +0100, Djalal Harouni wrote:
> Hi Al,
>
> On Mon, Aug 26, 2013 at 06:20:55PM +0100, Al Viro wrote:
> > On Mon, Aug 26, 2013 at 09:49:48AM -0700, Eric W. Biederman wrote:
> >
> > > How does changing the permissions to S_IRUSR prevent someone from
> > > opening the file before, and reading the file after a suid exec?
> > >
> > > > This patch restores the old mode which was 0400
> > >
> > > Which seems to add no security whatsoever and obscure the fact that
> > > anyone who cares can read the file so what is the point?
> >
> > Two words: "security sclerosis". Both patches NAKed, of course.
> These particular tissues "are being hardened", no cure for them
>
>
> More seriously, Al your commit a9712bc12c40c172e393f85 closes the races
> during read() ok, but can you please share some light why the permission
> mode was changed ?
>
> 1)
> The commit log states that all these files are "rw-r--r--" which was not
> correct, they were "r--------" before that commit.
>
> 2)
> The commit log says also:
> "if you open a file before the target does suid-root exec, you'll be still
> able to access it." so you do the task is tracable check at read()
>
> But what if you open a file of a privileged target or a target that does
> suid-root exec later, and pass the fd to a suid-root exec to read() from
> it later, you will still pass that tracable check.
>
> And currently a non-privileged process can get an fd on all these
> /proc/*/stack files even root owned ones.
>
> So why not restore the old behaviour and block a process from getting an
> fd on /proc/*/stack files that belong to other processes?
>
>
> The original thread that added the /proc/*/stack feature:
> https://lkml.org/lkml/2008/11/7/109
>
> They noted that it should be under 0400 permissions
>
> So why remove that, or why not restore the old safe behaviour ?
>
>
> Hope to get a response
>
> Thanks Al
Hope this will convince.
Please not I'm just trying to help/contribute and get things right.
If there is something obvious that I'm missing let me know, will
be happy to learn
tixxdz@dztty-qemu:~$ id
uid=1000(tixxdz) gid=1000(tixxdz)
groups=1000(tixxdz),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev)
tixxdz@dztty-qemu:~$ ls -lha ./a.out
-rwxr-xr-x 1 tixxdz tixxdz 8.0K Aug 28 20:26 ./a.out
tixxdz@dztty-qemu:~$ ls -lha /usr/bin/procmail
-rwsr-sr-x 1 root mail 88K Apr 25 2010 /usr/bin/procmail
(procmail with -d needs setuid())
tixxdz@dztty-qemu:~$ for i in $(seq 1 10); do ./a.out /usr/bin/procmail
/proc/$i/stack ; done
tixxdz@dztty-qemu:~$ cat /var/mail/tixxdz
[<ffffffff811b6537>] poll_schedule_timeout+0x57/0xe0
[<ffffffff811b70c7>] do_select+0x8b7/0x9a0
[<ffffffff811b766c>] core_sys_select+0x4bc/0x4f0
[<ffffffff811b7761>] SyS_select+0xc1/0x110
[<ffffffff81aef5e9>] system_call_fastpath+0x16/0x1b
[<ffffffffffffffff>] 0xffffffffffffffff
[<ffffffff8108a6e1>] kthreadd+0xb1/0x150
[<ffffffff81aef53c>] ret_from_fork+0x7c/0xb0
[<ffffffffffffffff>] 0xffffffffffffffff
[<ffffffff8109389e>] smpboot_thread_fn+0x1be/0x220
[<ffffffff8108a1b1>] kthread+0xd1/0xe0
[<ffffffff81aef53c>] ret_from_fork+0x7c/0xb0
[<ffffffffffffffff>] 0xffffffffffffffff
[<ffffffff81081610>] worker_thread+0x2e0/0x370
[<ffffffff8108a1b1>] kthread+0xd1/0xe0
[<ffffffff81aef53c>] ret_from_fork+0x7c/0xb0
[<ffffffffffffffff>] 0xffffffffffffffff
[<ffffffff81081610>] worker_thread+0x2e0/0x370
[<ffffffff8108a1b1>] kthread+0xd1/0xe0
[<ffffffff81aef53c>] ret_from_fork+0x7c/0xb0
[<ffffffffffffffff>] 0xffffffffffffffff
[<ffffffff81081610>] worker_thread+0x2e0/0x370
[<ffffffff8108a1b1>] kthread+0xd1/0xe0
[<ffffffff81aef53c>] ret_from_fork+0x7c/0xb0
[<ffffffffffffffff>] 0xffffffffffffffff
[<ffffffff8109389e>] smpboot_thread_fn+0x1be/0x220
[<ffffffff8108a1b1>] kthread+0xd1/0xe0
[<ffffffff81aef53c>] ret_from_fork+0x7c/0xb0
[<ffffffffffffffff>] 0xffffffffffffffff
[<ffffffff811020f3>] rcu_gp_kthread+0xe3/0x620
[<ffffffff8108a1b1>] kthread+0xd1/0xe0
[<ffffffff81aef53c>] ret_from_fork+0x7c/0xb0
[<ffffffffffffffff>] 0xffffffffffffffff
[<ffffffff811023b4>] rcu_gp_kthread+0x3a4/0x620
[<ffffffff8108a1b1>] kthread+0xd1/0xe0
[<ffffffff81aef53c>] ret_from_fork+0x7c/0xb0
[<ffffffffffffffff>] 0xffffffffffffffff
[<ffffffff8109389e>] smpboot_thread_fn+0x1be/0x220
[<ffffffff8108a1b1>] kthread+0xd1/0xe0
[<ffffffff81aef53c>] ret_from_fork+0x7c/0xb0
[<ffffffffffffffff>] 0xffffffffffffffff
You have mail in /var/mail/tixxdz
Thanks
--
Djalal Harouni
http://opendz.org
WARNING: multiple messages have this Message-ID (diff)
From: Djalal Harouni <tixxdz@opendz.org>
To: Al Viro <viro@ZenIV.linux.org.uk>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>,
Andrew Morton <akpm@linux-foundation.org>,
Solar Designer <solar@openwall.com>,
Vasiliy Kulikov <segoon@openwall.com>,
Kees Cook <keescook@chromium.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Ingo Molnar <mingo@kernel.org>,
linux-kernel@vger.kernel.org,
kernel-hardening@lists.openwall.com
Subject: Re: [PATCH 1/2] procfs: restore 0400 permissions on /proc/*/{syscall,stack,personality}
Date: Wed, 28 Aug 2013 21:11:42 +0100 [thread overview]
Message-ID: <20130828201141.GA21455@dztty> (raw)
In-Reply-To: <20130827172406.GA2664@dztty>
Cc'ed more people,
On Tue, Aug 27, 2013 at 06:24:06PM +0100, Djalal Harouni wrote:
> Hi Al,
>
> On Mon, Aug 26, 2013 at 06:20:55PM +0100, Al Viro wrote:
> > On Mon, Aug 26, 2013 at 09:49:48AM -0700, Eric W. Biederman wrote:
> >
> > > How does changing the permissions to S_IRUSR prevent someone from
> > > opening the file before, and reading the file after a suid exec?
> > >
> > > > This patch restores the old mode which was 0400
> > >
> > > Which seems to add no security whatsoever and obscure the fact that
> > > anyone who cares can read the file so what is the point?
> >
> > Two words: "security sclerosis". Both patches NAKed, of course.
> These particular tissues "are being hardened", no cure for them
>
>
> More seriously, Al your commit a9712bc12c40c172e393f85 closes the races
> during read() ok, but can you please share some light why the permission
> mode was changed ?
>
> 1)
> The commit log states that all these files are "rw-r--r--" which was not
> correct, they were "r--------" before that commit.
>
> 2)
> The commit log says also:
> "if you open a file before the target does suid-root exec, you'll be still
> able to access it." so you do the task is tracable check at read()
>
> But what if you open a file of a privileged target or a target that does
> suid-root exec later, and pass the fd to a suid-root exec to read() from
> it later, you will still pass that tracable check.
>
> And currently a non-privileged process can get an fd on all these
> /proc/*/stack files even root owned ones.
>
> So why not restore the old behaviour and block a process from getting an
> fd on /proc/*/stack files that belong to other processes?
>
>
> The original thread that added the /proc/*/stack feature:
> https://lkml.org/lkml/2008/11/7/109
>
> They noted that it should be under 0400 permissions
>
> So why remove that, or why not restore the old safe behaviour ?
>
>
> Hope to get a response
>
> Thanks Al
Hope this will convince.
Please not I'm just trying to help/contribute and get things right.
If there is something obvious that I'm missing let me know, will
be happy to learn
tixxdz@dztty-qemu:~$ id
uid=1000(tixxdz) gid=1000(tixxdz)
groups=1000(tixxdz),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev)
tixxdz@dztty-qemu:~$ ls -lha ./a.out
-rwxr-xr-x 1 tixxdz tixxdz 8.0K Aug 28 20:26 ./a.out
tixxdz@dztty-qemu:~$ ls -lha /usr/bin/procmail
-rwsr-sr-x 1 root mail 88K Apr 25 2010 /usr/bin/procmail
(procmail with -d needs setuid())
tixxdz@dztty-qemu:~$ for i in $(seq 1 10); do ./a.out /usr/bin/procmail
/proc/$i/stack ; done
tixxdz@dztty-qemu:~$ cat /var/mail/tixxdz
[<ffffffff811b6537>] poll_schedule_timeout+0x57/0xe0
[<ffffffff811b70c7>] do_select+0x8b7/0x9a0
[<ffffffff811b766c>] core_sys_select+0x4bc/0x4f0
[<ffffffff811b7761>] SyS_select+0xc1/0x110
[<ffffffff81aef5e9>] system_call_fastpath+0x16/0x1b
[<ffffffffffffffff>] 0xffffffffffffffff
[<ffffffff8108a6e1>] kthreadd+0xb1/0x150
[<ffffffff81aef53c>] ret_from_fork+0x7c/0xb0
[<ffffffffffffffff>] 0xffffffffffffffff
[<ffffffff8109389e>] smpboot_thread_fn+0x1be/0x220
[<ffffffff8108a1b1>] kthread+0xd1/0xe0
[<ffffffff81aef53c>] ret_from_fork+0x7c/0xb0
[<ffffffffffffffff>] 0xffffffffffffffff
[<ffffffff81081610>] worker_thread+0x2e0/0x370
[<ffffffff8108a1b1>] kthread+0xd1/0xe0
[<ffffffff81aef53c>] ret_from_fork+0x7c/0xb0
[<ffffffffffffffff>] 0xffffffffffffffff
[<ffffffff81081610>] worker_thread+0x2e0/0x370
[<ffffffff8108a1b1>] kthread+0xd1/0xe0
[<ffffffff81aef53c>] ret_from_fork+0x7c/0xb0
[<ffffffffffffffff>] 0xffffffffffffffff
[<ffffffff81081610>] worker_thread+0x2e0/0x370
[<ffffffff8108a1b1>] kthread+0xd1/0xe0
[<ffffffff81aef53c>] ret_from_fork+0x7c/0xb0
[<ffffffffffffffff>] 0xffffffffffffffff
[<ffffffff8109389e>] smpboot_thread_fn+0x1be/0x220
[<ffffffff8108a1b1>] kthread+0xd1/0xe0
[<ffffffff81aef53c>] ret_from_fork+0x7c/0xb0
[<ffffffffffffffff>] 0xffffffffffffffff
[<ffffffff811020f3>] rcu_gp_kthread+0xe3/0x620
[<ffffffff8108a1b1>] kthread+0xd1/0xe0
[<ffffffff81aef53c>] ret_from_fork+0x7c/0xb0
[<ffffffffffffffff>] 0xffffffffffffffff
[<ffffffff811023b4>] rcu_gp_kthread+0x3a4/0x620
[<ffffffff8108a1b1>] kthread+0xd1/0xe0
[<ffffffff81aef53c>] ret_from_fork+0x7c/0xb0
[<ffffffffffffffff>] 0xffffffffffffffff
[<ffffffff8109389e>] smpboot_thread_fn+0x1be/0x220
[<ffffffff8108a1b1>] kthread+0xd1/0xe0
[<ffffffff81aef53c>] ret_from_fork+0x7c/0xb0
[<ffffffffffffffff>] 0xffffffffffffffff
You have mail in /var/mail/tixxdz
Thanks
--
Djalal Harouni
http://opendz.org
next prev parent reply other threads:[~2013-08-28 20:11 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-08-26 16:23 [kernel-hardening] [PATCH 1/2] procfs: restore 0400 permissions on /proc/*/{syscall,stack,personality} Djalal Harouni
2013-08-26 16:23 ` Djalal Harouni
2013-08-26 16:24 ` [kernel-hardening] [PATCH 2/2] procfs: restore 0400 permissions on /proc/*/pagemap Djalal Harouni
2013-08-26 16:24 ` Djalal Harouni
2013-08-26 16:50 ` [kernel-hardening] " Eric W. Biederman
2013-08-26 16:50 ` Eric W. Biederman
2013-08-26 16:49 ` [kernel-hardening] Re: [PATCH 1/2] procfs: restore 0400 permissions on /proc/*/{syscall,stack,personality} Eric W. Biederman
2013-08-26 16:49 ` Eric W. Biederman
2013-08-26 17:20 ` [kernel-hardening] " Al Viro
2013-08-26 17:20 ` Al Viro
2013-08-27 17:24 ` [kernel-hardening] " Djalal Harouni
2013-08-27 17:24 ` Djalal Harouni
2013-08-28 20:11 ` Djalal Harouni [this message]
2013-08-28 20:11 ` Djalal Harouni
2013-08-28 20:49 ` [kernel-hardening] " Kees Cook
2013-08-28 20:49 ` Kees Cook
2013-08-28 21:11 ` [kernel-hardening] " Djalal Harouni
2013-08-28 21:11 ` Djalal Harouni
2013-08-29 0:26 ` [kernel-hardening] " Eric W. Biederman
2013-08-29 0:26 ` Eric W. Biederman
2013-08-29 0:30 ` [kernel-hardening] " Kees Cook
2013-08-29 0:30 ` Kees Cook
2013-08-29 1:08 ` [kernel-hardening] " Eric W. Biederman
2013-08-29 1:08 ` Eric W. Biederman
2013-08-29 3:33 ` [kernel-hardening] " Kees Cook
2013-08-29 3:33 ` Kees Cook
2013-08-29 7:42 ` [kernel-hardening] " Eric W. Biederman
2013-08-29 7:42 ` Eric W. Biederman
2013-08-29 9:11 ` [kernel-hardening] " Djalal Harouni
2013-08-29 9:11 ` Djalal Harouni
2013-08-29 22:14 ` [kernel-hardening] " Kees Cook
2013-08-29 22:14 ` Kees Cook
2013-08-31 20:26 ` [kernel-hardening] " Djalal Harouni
2013-08-31 20:26 ` Djalal Harouni
2013-09-01 1:44 ` [kernel-hardening] " Eric W. Biederman
2013-09-01 1:44 ` Eric W. Biederman
2013-09-01 15:04 ` [kernel-hardening] " Kees Cook
2013-09-01 15:04 ` Kees Cook
2013-09-12 1:23 ` [kernel-hardening] " Djalal Harouni
2013-09-12 1:23 ` Djalal Harouni
2013-10-04 0:41 ` [kernel-hardening] " Kees Cook
2013-10-04 0:41 ` Kees Cook
2013-10-04 0:53 ` [kernel-hardening] " Ryan Mallon
2013-10-04 0:53 ` Ryan Mallon
2013-08-26 20:34 ` [kernel-hardening] " Djalal Harouni
2013-08-26 20:34 ` Djalal Harouni
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130828201141.GA21455@dztty \
--to=tixxdz@opendz.org \
--cc=akpm@linux-foundation.org \
--cc=ebiederm@xmission.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=segoon@openwall.com \
--cc=solar@openwall.com \
--cc=torvalds@linux-foundation.org \
--cc=viro@ZenIV.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.