From: ebiederm@xmission.com (Eric W. Biederman)
To: Pavel Machek <pavel@ucw.cz>
Cc: Trond Myklebust <trond.myklebust@fys.uio.no>,
Jan Kara <jack@suse.cz>, "J. Bruce Fields" <bfields@fieldses.org>,
"Serge E. Hallyn" <serue@us.ibm.com>,
kernel list <linux-kernel@vger.kernel.org>,
linux-fsdevel@vger.kernel.org, viro@zeniv.linux.org.uk,
jamie@shareable.org
Subject: Re: symlinks with permissions
Date: Wed, 28 Oct 2009 04:25:23 -0700 [thread overview]
Message-ID: <m1k4yfkbfg.fsf@fess.ebiederm.org> (raw)
In-Reply-To: <20091028081653.GA18290@elf.ucw.cz> (Pavel Machek's message of "Wed\, 28 Oct 2009 09\:16\:53 +0100")
Pavel Machek <pavel@ucw.cz> writes:
> On Tue 2009-10-27 21:15:54, Eric W. Biederman wrote:
>> Pavel Machek <pavel@ucw.cz> writes:
>>
>> > On Mon 2009-10-26 13:57:49, Trond Myklebust wrote:
>> >> On Mon, 2009-10-26 at 18:46 +0100, Jan Kara wrote:
>> >> > That's what I'd think as well but it does not as I've just learned and
>> >> > tested :) proc_pid_follow_link actually directly gives a dentry of the
>> >> > target file without checking permissions on the way.
>> >
>> > It is weider. That symlink even has permissions. Those are not
>> > checked, either.
>> >
>> >> I seem to remember that is deliberate, the point being that a symlink
>> >> in /proc/*/fd/ may contain a path that refers to a private namespace.
>> >
>> > Well, it is unexpected and mild security hole.
>>
>> /proc/<pid>/fd is only viewable by the owner of the process or by
>> someone with CAP_DAC_OVERRIDE. So there appears to be no security
>> hole exploitable by people who don't have the file open.
>
> Please see bugtraq discussion at
> http://seclists.org/bugtraq/2009/Oct/179 .
>
> (In short, you get read-only fd, and you can upgrade it to read-write
> fd. Yes, you are the owner of the process, but you are not owner of
> the file the fd refers to.)
Assuming you have permission to open it read-write.
>> > Part of the problem is that even if you have read-only
>> > filedescriptor, you can upgrade it to read-write, even if path is
>> > inaccessible to you.
>> >
>> > So if someone passes you read-only filedescriptor, you can still write
>> > to it.
>>
>> Openly if you actually have permission to open the file again. The actual
>> permissions on the file should not be ignored.
>
> The actual permissions of the file are not ignored, but permissions of
> the containing directory _are_. If there's 666 file in 700 directory,
> you can reopen it read-write, in violation of directory's 700
> permissions.
I can see how all of this can come as a surprise. However I don't see
how any coder who is taking security seriously and being paranoid about
security would actually write code that would have a problem with this.
Do you know of any cases where this difference matters in practice?
It looks to me like it has been this way for better than a decade
without problems so there is no point in changing it now.
Eric
next prev parent reply other threads:[~2009-10-28 11:25 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-10-25 6:29 symlinks with permissions Pavel Machek
2009-10-26 16:31 ` Jan Kara
2009-10-26 16:57 ` Serge E. Hallyn
2009-10-26 17:36 ` J. Bruce Fields
2009-10-26 17:46 ` Jan Kara
2009-10-26 17:57 ` Trond Myklebust
2009-10-25 9:36 ` Pavel Machek
2009-10-26 18:22 ` Trond Myklebust
2009-10-27 8:11 ` Pavel Machek
2009-10-27 10:27 ` Jamie Lokier
2009-10-26 18:35 ` J. Bruce Fields
2009-10-28 4:15 ` Eric W. Biederman
2009-10-28 8:16 ` Pavel Machek
2009-10-28 11:25 ` Eric W. Biederman [this message]
2009-10-28 21:03 ` Pavel Machek
2009-10-29 2:20 ` Eric W. Biederman
2009-10-29 11:03 ` Pavel Machek
2009-10-29 16:23 ` Eric W. Biederman
2009-10-30 18:35 ` Pavel Machek
2009-10-30 20:37 ` Nick Bowler
2009-10-30 23:03 ` Eric W. Biederman
2009-10-31 2:30 ` Jamie Lokier
2009-10-28 16:34 ` Casey Schaufler
2009-10-28 19:44 ` Jamie Lokier
2009-10-28 21:06 ` Pavel Machek
2009-10-28 22:48 ` David Wagner
2009-10-29 4:13 ` Casey Schaufler
2009-10-29 7:53 ` David Wagner
2009-10-30 14:07 ` Pavel Machek
2009-10-31 4:09 ` Casey Schaufler
2009-11-01 9:23 ` David Wagner
2009-11-01 17:43 ` Casey Schaufler
2009-11-01 20:39 ` David Wagner
2009-11-01 22:05 ` Casey Schaufler
2009-10-26 18:02 ` J. Bruce Fields
2009-10-26 17:57 ` Serge E. Hallyn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m1k4yfkbfg.fsf@fess.ebiederm.org \
--to=ebiederm@xmission.com \
--cc=bfields@fieldses.org \
--cc=jack@suse.cz \
--cc=jamie@shareable.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pavel@ucw.cz \
--cc=serue@us.ibm.com \
--cc=trond.myklebust@fys.uio.no \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.