From: Djalal Harouni <tixxdz@opendz.org>
To: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>,
Andrew Morton <akpm@linux-foundation.org>,
Ingo Molnar <mingo@kernel.org>,
linux-kernel@vger.kernel.org,
kernel-hardening@lists.openwall.com
Subject: Re: [PATCH 1/2] procfs: restore 0400 permissions on /proc/*/{syscall,stack,personality}
Date: Mon, 26 Aug 2013 21:34:12 +0100 [thread overview]
Message-ID: <20130826203412.GA2414@dztty> (raw)
In-Reply-To: <871u5gqtw3.fsf@xmission.com>
On Mon, Aug 26, 2013 at 09:49:48AM -0700, Eric W. Biederman wrote:
> Djalal Harouni <tixxdz@opendz.org> writes:
>
> > Avoid giving an fd on privileged files for free by switching these
> > files to 0400 mode.
>
> This seems to be a revert of Al's patch in March of 2011 based on broken
> reasoning.
Yes it reverts some parts of it which are not correct.
Yes the patch closes the races *during* read() time, but why the
permissions were changed ?
Note: it does not close any suid exec between open(),read(),lseek()...
History:
This is the link of the original thread that added /proc/pid/stack
support
https://lkml.org/lkml/2008/11/7/109
Quoting Andrew "I guess the 0400 mode on that file will suffice..."
Here we do not have traceble checks at open() time, and the *only*
protection at open() which is the 0400 mode was also removed!
Please do check protections for /proc/*/mem
> Al Viro commited:
> > commit a9712bc12c40c172e393f85a9b2ba8db4bf59509
> > Author: Al Viro <viro@zeniv.linux.org.uk>
> > Date: Wed Mar 23 15:52:50 2011 -0400
> >
> > deal with races in /proc/*/{syscall,stack,personality}
> >
> > All of those are rw-r--r-- and all are broken for suid - if you open
> > a file before the target does suid-root exec, you'll be still able
> > to access it. For personality it's not a big deal, but for syscall
> > and stack it's a real problem.
> >
> > Fix: check that task is tracable for you at the time of read().
> >
> > Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
>
> How does changing the permissions to S_IRUSR prevent someone from
> opening the file before, and reading the file after a suid exec?
This will block opening files owned by other users, doing a suid will
not help since you do not have an fd on the file.
There is a big difference here:
Currently you can get an fd on /proc/1/stack or whatever root owned
process or files, later just do a suid exec to read from it.
But with this simple change you can't. You will be able to open and get
an fd only on the files owned by you (or the same user). Of course you
can do a suid exec but you will only read input from this suid exec.
You will not be able to read from arbitrary processes.
There is a reason that these files were made 0400. Al's commit
stated that currently all these files are "rw-r--r--" so add a check to
close a race, but these files were "r--------" before the commit and not
"r--r--r--" and it mistakenly changed them.
> > This patch restores the old mode which was 0400
>
> Which seems to add no security whatsoever and obscure the fact that
> anyone who cares can read the file so what is the point?
Well, I guess there is a big difference between 0400 and 0444
--
Djalal Harouni
http://opendz.org
prev parent reply other threads:[~2013-08-26 20:34 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-08-26 16:23 [PATCH 1/2] procfs: restore 0400 permissions on /proc/*/{syscall,stack,personality} Djalal Harouni
2013-08-26 16:24 ` [PATCH 2/2] procfs: restore 0400 permissions on /proc/*/pagemap Djalal Harouni
2013-08-26 16:50 ` Eric W. Biederman
2013-08-26 16:49 ` [PATCH 1/2] procfs: restore 0400 permissions on /proc/*/{syscall,stack,personality} Eric W. Biederman
2013-08-26 17:20 ` Al Viro
2013-08-27 17:24 ` Djalal Harouni
2013-08-28 20:11 ` Djalal Harouni
2013-08-28 20:49 ` Kees Cook
2013-08-28 21:11 ` Djalal Harouni
2013-08-29 0:26 ` Eric W. Biederman
2013-08-29 0:30 ` Kees Cook
2013-08-29 1:08 ` Eric W. Biederman
2013-08-29 3:33 ` Kees Cook
2013-08-29 7:42 ` Eric W. Biederman
2013-08-29 9:11 ` Djalal Harouni
2013-08-29 22:14 ` Kees Cook
2013-08-31 20:26 ` Djalal Harouni
2013-09-01 1:44 ` Eric W. Biederman
2013-09-01 15:04 ` Kees Cook
2013-09-12 1:23 ` Djalal Harouni
2013-10-04 0:41 ` Kees Cook
2013-10-04 0:53 ` Ryan Mallon
2013-08-26 20:34 ` Djalal Harouni [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130826203412.GA2414@dztty \
--to=tixxdz@opendz.org \
--cc=akpm@linux-foundation.org \
--cc=ebiederm@xmission.com \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).