From: ebiederm@xmission.com (Eric W. Biederman)
To: Petr Baudis <pasky@suse.cz>
Cc: linux-kernel@vger.kernel.org
Subject: Re: Dumpable tasks and ownership of /proc/*/fd
Date: Sun, 09 Apr 2006 23:43:03 -0600 [thread overview]
Message-ID: <m17j5yhtp4.fsf@ebiederm.dsl.xmission.com> (raw)
In-Reply-To: <20060408120815.GB16588@pasky.or.cz> (Petr Baudis's message of "Sat, 8 Apr 2006 14:08:16 +0200")
Petr Baudis <pasky@suse.cz> writes:
> Hello,
>
> I would like to ask why is /proc/*/fd owned by root when the task is
> not dumpable - what security concern does it address? It would seem more
> reasonable to me if the /proc/*/fd owner would be simply always the real
> uid of the process.
>
> The issue is that now all tasks calling setuid() from root to non-root
> during their lifetime will not be able to access their /proc/self/fd.
> This is troublesome because the fstatat() and other *at() routines are
> emulated by accessing /proc/self/fd/*/path and that will break with
> setuid()ing programs, leading to various weird consequences (e.g. with
> the latest glibc, nftw() does not work with setuid()ing programs and
> furthermore causes the LSB testsuite to fail because of this, etc.).
Looking at it the current check is indeed incorrect.
Primarily because it is a check on open and not a check
on access. We can open the directory anytime so if
this is a serious permission we need to check on access.
Further when it is ourselves we always have access to that
information directly, and /proc is just a convenience. So
we should not be denying ourselves.
Other processes we do need to deny if we aren't dumpable because
they don't have another way to get that information.
Speaking of things why does the *at() emulation need to touch
/proc/self/fd/*? I may be completely dense but if the practical
justification for allowing access to /proc/self/fd/ is that we
already have access then we shouldn't need /proc/self/fd.
I suspect this a matter of convenience where you are prepending
/proc/self/fd/xxx/ to the path before you open it instead of calling
fchdir openat() and the doing fchdir back. Have I properly guessed
how the *at() emulation works?
Eric
next prev parent reply other threads:[~2006-04-10 5:44 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-04-08 12:08 Dumpable tasks and ownership of /proc/*/fd Petr Baudis
2006-04-10 5:43 ` Eric W. Biederman [this message]
2006-04-10 6:53 ` Petr Baudis
2006-04-10 7:42 ` Eric W. Biederman
2006-04-11 13:40 ` Petr Baudis
[not found] <5Zkqr-5LI-5@gated-at.bofh.it>
[not found] ` <5ZXrM-3qg-3@gated-at.bofh.it>
2006-04-11 19:30 ` Bodo Eggert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m17j5yhtp4.fsf@ebiederm.dsl.xmission.com \
--to=ebiederm@xmission.com \
--cc=linux-kernel@vger.kernel.org \
--cc=pasky@suse.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox