From: Vasiliy Kulikov <segoon@openwall.com>
To: kernel-hardening@lists.openwall.com
Subject: Re: [kernel-hardening] [RFC v1] procfs mount options
Date: Mon, 6 Jun 2011 22:08:06 +0400 [thread overview]
Message-ID: <20110606180806.GA3986@albatros> (raw)
In-Reply-To: <20110605201025.GA9541@openwall.com>
[-- Attachment #1: Type: text/plain, Size: 797 bytes --]
On Mon, Jun 06, 2011 at 00:10 +0400, Solar Designer wrote:
> > Process A with UID=1000 opens /proc/123/, while 123 has UID=1000.
> >
> > 123 exec's setuid binary, /proc/123/ becomes unaccessible to A.
> >
> > However, A still keeps the directory opened and may read its contents.
>
> Oh, this is a valid concern. Please research this. Perhaps there
> should be a may-ptrace check (or maybe more than one).
This is similar to CVE-2011-1020:
https://lkml.org/lkml/2011/2/7/368
http://seclists.org/fulldisclosure/2011/Jan/421
The proposed solution for separate procfs files is implementing
additional runtime checks (besides POSIX perms), however, it probably
doesn't scale for the whole PID directory.
Will try to invent some simple way to deal with it.
--
Vasiliy
[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 836 bytes --]
next prev parent reply other threads:[~2011-06-06 18:08 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20110603191153.GB514@openwall.com>
2011-06-04 5:47 ` [kernel-hardening] Re: procfs mount options Vasiliy Kulikov
2011-06-04 13:20 ` [kernel-hardening] " Solar Designer
2011-06-04 20:09 ` Vasiliy Kulikov
2011-06-04 20:59 ` Solar Designer
2011-06-05 18:24 ` [kernel-hardening] [RFC v1] " Vasiliy Kulikov
2011-06-05 19:26 ` Solar Designer
2011-06-05 19:47 ` Vasiliy Kulikov
2011-06-05 20:10 ` Solar Designer
2011-06-06 18:08 ` Vasiliy Kulikov [this message]
2011-06-06 18:33 ` Solar Designer
2011-06-08 17:23 ` [kernel-hardening] [RFC v2] " Vasiliy Kulikov
2011-06-08 17:43 ` Vasiliy Kulikov
2011-06-12 2:39 ` Solar Designer
2011-07-24 18:55 ` Vasiliy Kulikov
[not found] ` <20110724185036.GC3510@albatros>
2011-07-26 14:50 ` Vasiliy Kulikov
2011-07-29 17:47 ` [kernel-hardening] procfs {tid,tgid,attr}_allowed " Vasiliy Kulikov
2011-08-04 11:23 ` [kernel-hardening] " Vasiliy Kulikov
2011-08-10 10:02 ` Vasiliy Kulikov
2011-08-10 11:22 ` [kernel-hardening] " Solar Designer
2011-08-10 11:25 ` Solar Designer
2011-08-10 12:04 ` Vasiliy Kulikov
2011-08-10 13:34 ` Solar Designer
2011-08-12 18:14 ` Simon Marechal
2011-06-06 19:20 ` [kernel-hardening] [RFC v1] procfs " Vasiliy Kulikov
2011-06-05 19:17 ` [kernel-hardening] " Vasiliy Kulikov
2011-06-05 19:40 ` Solar Designer
2011-06-05 19:53 ` Vasiliy Kulikov
2011-06-05 18:36 ` [kernel-hardening] Re: [owl-dev] " Vasiliy Kulikov
2011-06-05 18:47 ` [kernel-hardening] " Solar Designer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20110606180806.GA3986@albatros \
--to=segoon@openwall.com \
--cc=kernel-hardening@lists.openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox