Re: symlinks with permissions

[daw@cs.berkeley.edu (David Wagner)]

Casey Schaufler  wrote:
>Pavel Machek wrote:
>> Look again. I can count on paths if I can prevent mounts and
>> hardlinks.
>
> But you can't.

Yes, he can and did.  See Pavel's original post with his
attack script.  It's all there!

Hardlinks: in his *original* post, listing the attack script,
Pavel checks the hardlink count, which does defend against
hardlinks.  So can we drop the hardlink objection?

Mounts: can only be exploited by root.  On many Linux systems,
one cannot defend against a threat model where root is malicious,
and as a consequence, root-only attacks are out of scope for
those systems.  For those systems, this /proc mechanism is
a security hole: it enables attacker to do bad stuff they
couldn't have done without it.

> I refer you back to the long and tedious arguments
> against pathname based access controls.

I don't find that reference helpful.  Those arguments don't
seem relevant to this situation, as far as I can see.  I would
find specificity more useful than analogies.

Pavel has provided a concrete attack script.  If you believe
that the protections afforded by that script can be circumvented,
how about showing us the specific attack, described to a similar
level of concreteness and specifity, that demonstrates how to
upgrade the read-only fd to a read-write fd without using /proc?

Put another way: if you are right that the arguments about
pathname based access controls apply here and lead to the
conclusions you are espousing, then you should be able to
exhibit a specific, concrete, fully specified attack on Pavel's
script, without using /proc.  Right?