From: ebiederm@xmission.com (Eric W. Biederman)
To: James Morris <jmorris@namei.org>
Cc: Kees Cook <kees.cook@canonical.com>,
linux-kernel@vger.kernel.org, Al Viro <viro@ftp.linux.org.uk>,
Stephen Smalley <sds@tycho.nsa.gov>,
linux-security-module@vger.kernel.org
Subject: Re: [SECURITY] /proc/$pid/ leaks contents across setuid exec
Date: Wed, 09 Feb 2011 19:41:41 -0800 [thread overview]
Message-ID: <m1r5bglfnu.fsf@fess.ebiederm.org> (raw)
In-Reply-To: <alpine.LRH.2.00.1102101337100.19432@tundra.namei.org> (James Morris's message of "Thu, 10 Feb 2011 13:44:58 +1100 (EST)")
James Morris <jmorris@namei.org> writes:
> On Tue, 8 Feb 2011, Eric W. Biederman wrote:
>
>> Kees Cook <kees.cook@canonical.com> writes:
>>
>> > On Tue, Feb 08, 2011 at 02:43:15PM +1100, James Morris wrote:
>
>> >> > I don't think /proc/$pid/* needs to stay open across execs, does it? Or at
>> >> > least the non-0444 files should be handled separately.
>> >>
>> >> Actually, this seems like a more general kind of bug in proc rather than a
>> >> leaked fd. Each child task should only see its own /proc/[pid] data.
>> >
>> > Right, that's precisely the problem. The unprivileged process can read
>> > the setuid process's /proc files.
>>
>> If these are things that we actually care about we should sprinkle in a
>> few more ptrace_may_access calls into implementations of the relevant
>> proc files.
>
> This seems to be papering over a bug.
>
> It is plainly broken to return an access error to a task which is
> legitimately accessing a file. The task should not receive the wrong
> information from /proc/[pid]/* .
Per task files are special because of exec. The permission needed
change dynamically. The common solution to this problem (see ttys) is
to revoke anyone who has file descriptors open. Proc does something a
little different and simply gives you a permission error when you read
or write if it would be a problem.
We happen to call the test to see if you should have permission
security_may_ptrace because ptrace lets you get the information anyway
so we might as well allow the information from /proc.
Given that security_may_ptrace is the existing model, and that we don't
return wrong data, but a clear an unambiguous error I don't see problems
with the approach.
The practical question is, is the data sensitive enough that we want
this protection.
Eric
next prev parent reply other threads:[~2011-02-10 3:41 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-02-07 23:14 [SECURITY] /proc/$pid/ leaks contents across setuid exec Kees Cook
2011-02-08 0:44 ` James Morris
2011-02-08 1:14 ` Kees Cook
2011-02-08 3:43 ` James Morris
2011-02-08 4:27 ` Kees Cook
2011-02-08 20:17 ` Eric W. Biederman
2011-02-10 2:44 ` James Morris
2011-02-10 3:41 ` Eric W. Biederman [this message]
2011-02-10 6:38 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m1r5bglfnu.fsf@fess.ebiederm.org \
--to=ebiederm@xmission.com \
--cc=jmorris@namei.org \
--cc=kees.cook@canonical.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=sds@tycho.nsa.gov \
--cc=viro@ftp.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox