From: Willy Tarreau <willy@w.ods.org>
To: Solar Designer <solar@openwall.com>
Cc: Tigran Aivazian <tigran@aivazian.fsnet.co.uk>,
Alan Cox <alan@redhat.com>,
Marcelo Tosatti <marcelo.tosatti@cyclades.com>,
linux-kernel@vger.kernel.org
Subject: Re: question about /proc/<PID>/mem in 2.4 (fwd)
Date: Sun, 18 Jul 2004 23:27:21 +0200 [thread overview]
Message-ID: <20040718212721.GC1545@alpha.home.local> (raw)
In-Reply-To: <20040718125925.GA20133@openwall.com>
Hi !
On Sun, Jul 18, 2004 at 04:59:25PM +0400, Solar Designer wrote:
> On Sun, Jul 18, 2004 at 01:41:34PM +0100, Tigran Aivazian wrote:
[...]
> > # setuidapp < /proc/self/mem
> >
> > and this program reading stdin.
>
> The problem is the program does not know its stdin corresponds to a
> process' address space and it does not know it is making use of a
> privilege to read it. A correctly written SUID root program may
> reasonably assume that the data it obtains from stdin is whatever the
> unprivileged user has provided, -- and, for example, display such data
> back to the user (as a part of an error message or so). If we permit
> reads from /proc/<pid>/mem based on credentials of the read(2)-calling
> process only, this assumption would be violated resulting in security
> holes.
unless I'm mistaken, it will be the shell which will open /proc/self/mem,
so if it doesn't have correct rights, even the setuidapp will not have
access to it because the shell will not be able to open the file.
> Oh, by the way, I've just noticed that the above example is not
> entirely correct. In order to read setuidapp's own address space
> (after the kernel has been patched according to your proposal), it
> should have been:
>
> $ exec setuidapp < /proc/self/mem
Hmm, this is an interesting case. What exactly is passed then ? You agree
that the shell opens its own memory map on fd 0 then execs setuidapp
which will have it on stdin. But will the fd contents be automatically
replaced with the new process' memory map or will it still be the shell's
until this last reference is dropped ?
Cheers,
Willy
next prev parent reply other threads:[~2004-07-18 21:29 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-07-07 13:28 question about /proc/<PID>/mem in 2.4 (fwd) Tigran Aivazian
2004-07-07 23:48 ` Solar Designer
2004-07-18 12:41 ` Tigran Aivazian
2004-07-18 12:59 ` Solar Designer
2004-07-18 21:27 ` Willy Tarreau [this message]
2004-07-18 23:15 ` Paul Jackson
2004-07-19 4:54 ` Willy Tarreau
2004-07-19 6:47 ` Paul Jackson
2004-07-22 20:34 ` Alan Cox
2004-07-22 21:23 ` Paul Jackson
2004-07-23 17:34 ` Alan Cox
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20040718212721.GC1545@alpha.home.local \
--to=willy@w.ods.org \
--cc=alan@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=marcelo.tosatti@cyclades.com \
--cc=solar@openwall.com \
--cc=tigran@aivazian.fsnet.co.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox