From mboxrd@z Thu Jan 1 00:00:00 1970 From: Serge Hallyn Subject: Re: /proc/pid/fd/ shows strange mode when executed via sudo. Date: Thu, 3 May 2012 10:42:22 -0500 Message-ID: <20120503154222.GA8776@sergelap> References: <201205022240.GBB13566.VOtHFOLFOMSJFQ@I-love.SAKURA.ne.jp> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: linux-fsdevel@vger.kernel.org, linux-security-module@vger.kernel.org, keescook@chromium.org To: Tetsuo Handa Return-path: Content-Disposition: inline In-Reply-To: <201205022240.GBB13566.VOtHFOLFOMSJFQ@I-love.SAKURA.ne.jp> Sender: linux-security-module-owner@vger.kernel.org List-Id: linux-fsdevel.vger.kernel.org Quoting Tetsuo Handa (penguin-kernel@I-love.SAKURA.ne.jp): > I noticed a strange difference in /proc/pid/fd/ directory > when a command is executed via /usr/bin/sudo. > > Say, there are three files in some directory. > (In my environment, /tmp/ is a plain ext4 partition.) > > # touch /tmp/1 > # touch /tmp/2 > # touch /tmp/3 > # ls -l /tmp/? > -rw-r--r-- 1 root root 0 May 2 21:48 /tmp/1 > -rw-r--r-- 1 root root 0 May 2 21:48 /tmp/2 > -rw-r--r-- 1 root root 0 May 2 21:48 /tmp/3 > > Try to read one of them using "tail -f" from one terminal. > > # tail -f /tmp/1 > > Show /proc/pid/fd/ from another terminal. > > # ls -l /proc/`pidof tail`/fd/ > total 0 > lrwx------ 1 root root 64 May 2 21:54 0 -> /dev/pts/0 > lrwx------ 1 root root 64 May 2 21:54 1 -> /dev/pts/0 > lrwx------ 1 root root 64 May 2 21:54 2 -> /dev/pts/0 > lr-x------ 1 root root 64 May 2 21:54 3 -> /tmp/1 > lr-x------ 1 root root 64 May 2 21:54 4 -> anon_inode:inotify > > Quit the "tail -f". Try to read two of them using "tail -f". > > # tail -f /tmp/1 /tmp/2 > > Show /proc/pid/fd/ from another terminal. > > # ls -l /proc/`pidof tail`/fd/ > total 0 > lrwx------ 1 root root 64 May 2 21:54 0 -> /dev/pts/0 > lrwx------ 1 root root 64 May 2 21:54 1 -> /dev/pts/0 > lrwx------ 1 root root 64 May 2 21:54 2 -> /dev/pts/0 > lr-x------ 1 root root 64 May 2 21:54 3 -> /tmp/1 > lr-x------ 1 root root 64 May 2 21:54 4 -> /tmp/2 > lr-x------ 1 root root 64 May 2 21:54 5 -> anon_inode:inotify > > Quit the "tail -f". Try to read three of them using "tail -f". > > # tail -f /tmp/1 /tmp/2 /tmp/3 > > Show /proc/pid/fd/ from another terminal. > > # ls -l /proc/`pidof tail`/fd/ > total 0 > lrwx------ 1 root root 64 May 2 21:55 0 -> /dev/pts/0 > lrwx------ 1 root root 64 May 2 21:55 1 -> /dev/pts/0 > lrwx------ 1 root root 64 May 2 21:55 2 -> /dev/pts/0 > lr-x------ 1 root root 64 May 2 21:55 3 -> /tmp/1 > lr-x------ 1 root root 64 May 2 21:55 4 -> /tmp/2 > lr-x------ 1 root root 64 May 2 21:55 5 -> /tmp/3 > lr-x------ 1 root root 64 May 2 21:55 6 -> anon_inode:inotify > > Quit the "tail -f". You see, they are all fine. > > However, the output is different when executed via /usr/bin/sudo . > > Try to read one of them using "sudo tail -f" from one terminal. > > # sudo tail -f /tmp/1 > > Show /proc/pid/fd/ from another terminal. > > # ls -l /proc/`pidof tail`/fd/ > total 0 > lrwx------ 1 root root 64 May 2 21:55 0 -> /dev/pts/0 > lrwx------ 1 root root 64 May 2 21:55 1 -> /dev/pts/0 > lrwx------ 1 root root 64 May 2 21:55 2 -> /dev/pts/0 > lrwx------ 1 root root 64 May 2 21:55 3 -> /tmp/1 > lrwx------ 1 root root 64 May 2 21:55 4 -> anon_inode:inotify > > Quit the "tail -f". Try to read two of them using "sudo tail -f". > > # sudo tail -f /tmp/1 /tmp/2 > > Show /proc/pid/fd/ from another terminal. > > # ls -l /proc/`pidof tail`/fd/ > total 0 > lrwx------ 1 root root 64 May 2 21:56 0 -> /dev/pts/0 > lrwx------ 1 root root 64 May 2 21:56 1 -> /dev/pts/0 > lrwx------ 1 root root 64 May 2 21:56 2 -> /dev/pts/0 > lrwx------ 1 root root 64 May 2 21:56 3 -> /tmp/1 > lrwx------ 1 root root 64 May 2 21:56 4 -> /tmp/2 > lr-x------ 1 root root 64 May 2 21:56 5 -> anon_inode:inotify > > Quit the "tail -f". Try to read three of them using "sudo tail -f". > > # sudo tail -f /tmp/1 /tmp/2 /tmp/3 > > Show /proc/pid/fd/ from another terminal. > > # ls -l /proc/`pidof tail`/fd/ > total 0 > lrwx------ 1 root root 64 May 2 21:56 0 -> /dev/pts/0 > lrwx------ 1 root root 64 May 2 21:56 1 -> /dev/pts/0 > lrwx------ 1 root root 64 May 2 21:56 2 -> /dev/pts/0 > lrwx------ 1 root root 64 May 2 21:56 3 -> /tmp/1 > lrwx------ 1 root root 64 May 2 21:56 4 -> /tmp/2 > lr-x------ 1 root root 64 May 2 21:56 5 -> /tmp/3 > lr-x------ 1 root root 64 May 2 21:56 6 -> anon_inode:inotify > > Quit the "tail -f". > > You see, when executed via /usr/bin/sudo , fd == 3 and fd == 4 are reported as > "lrwx------" whereas fd >= 5 are reported as "lr-x------". > > # strace -f -e open sudo tail -f /tmp/1 /tmp/2 /tmp/3 > > shows that /usr/bin/tail is opening /tmp/1 /tmp/2 /tmp/3 as O_RDONLY. > /usr/bin/sudo can't set w bit before /usr/bin/tail opens them with r bit. > I wonder from where the w bit came... Note that if you do sudo strace -f -e open tail -f /tmp/{1,2,3,4} then the fds are not opened with write perms. But if you do as you did, strace -f -e open sudo tail -f /tmp/1 /tmp/2 /tmp/3 they are. Interesting. The same thing also happens for me with tmpfs, and with a debian sid ec2 instance running 2.6.32-5-xen-amd64. > Above result was obtained using kernel 3.2.0-24-generic-pae (3.2.0-24.37) on > Ubuntu 12.04, but below result (similar but not identical) was obtained using > vanilla 3.4-rc5 kernel on CentOS 6.2. > > -- (normal case. normal result.) > # tail -f /tmp/1 /tmp/2 > > # ls -l /proc/`pidof tail`/fd/ > total 0 > lrwx------ 1 root root 64 May 2 21:04 0 -> /dev/pts/2 > lrwx------ 1 root root 64 May 2 21:04 1 -> /dev/pts/2 > lrwx------ 1 root root 64 May 2 21:04 2 -> /dev/pts/2 > lr-x------ 1 root root 64 May 2 21:04 3 -> /tmp/1 > lr-x------ 1 root root 64 May 2 21:04 4 -> /tmp/2 > lr-x------ 1 root root 64 May 2 21:04 5 -> anon_inode:inotify > -- (sudo case. only fd == 3 got w bit.) > # sudo tail -f /tmp/1 /tmp/2 > > # ls -l /proc/`pidof tail`/fd/ > total 0 > lrwx------ 1 root root 64 May 2 21:05 0 -> /dev/pts/2 > lrwx------ 1 root root 64 May 2 21:05 1 -> /dev/pts/2 > lrwx------ 1 root root 64 May 2 21:05 2 -> /dev/pts/2 > lrwx------ 1 root root 64 May 2 21:05 3 -> /tmp/1 > lr-x------ 1 root root 64 May 2 21:05 4 -> /tmp/2 > lr-x------ 1 root root 64 May 2 21:05 5 -> anon_inode:inotify > -- (normal case. normal result.) > # tail -f /tmp/1 /tmp/2 /tmp/3 > > # ls -l /proc/`pidof tail`/fd/ > total 0 > lrwx------ 1 root root 64 May 2 21:07 0 -> /dev/pts/2 > lrwx------ 1 root root 64 May 2 21:07 1 -> /dev/pts/2 > lrwx------ 1 root root 64 May 2 21:07 2 -> /dev/pts/2 > lr-x------ 1 root root 64 May 2 21:07 3 -> /tmp/1 > lr-x------ 1 root root 64 May 2 21:07 4 -> /tmp/2 > lr-x------ 1 root root 64 May 2 21:07 5 -> /tmp/3 > lr-x------ 1 root root 64 May 2 21:07 6 -> anon_inode:inotify > -- (sudo case. fd == 3 and fd == 6 got w bit.) > # sudo tail -f /tmp/1 /tmp/2 /tmp/3 > > # ls -l /proc/`pidof tail`/fd/ > total 0 > lrwx------ 1 root root 64 May 2 21:07 0 -> /dev/pts/2 > lrwx------ 1 root root 64 May 2 21:07 1 -> /dev/pts/2 > lrwx------ 1 root root 64 May 2 21:07 2 -> /dev/pts/2 > lrwx------ 1 root root 64 May 2 21:07 3 -> /tmp/1 > lr-x------ 1 root root 64 May 2 21:07 4 -> /tmp/2 > lr-x------ 1 root root 64 May 2 21:07 5 -> /tmp/3 > lrwx------ 1 root root 64 May 2 21:07 6 -> anon_inode:inotify > > I guess something is wrong. > -- > To unsubscribe from this list: send the line "unsubscribe linux-security-module" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html