Bugtraq mailing list archives
Re: /proc filesystem allows bypassing directory permissions on Linux
From: Anton Ivanov <anton.ivanov () kot-begemot co uk>
Date: Sat, 24 Oct 2009 19:05:35 +0100
On Sat, 2009-10-24 at 21:39 +0400, Dan Yefimov wrote:
On 24.10.2009 20:59, Anton Ivanov wrote:Not to tell about that /proc/<PID>/fd/ contains only symbolic links, not files, so I can't understand, how the original reporter managed to gain access to the file in the restricted directory using that symlink.The perms are definitely broken and without a code audit on procfs I would not bet that this is limited just to this rather obscure test case. To be honest, I hope that it is limited to this rather obscure test case. If it is not there may be entertaining ramifications.Given my citation above (I personally use Linux), that obscure test case looks doubtful. If the original reporter uses some patched kernel, that doesn't matter others.
It works on Debian 2.6.26 out of the box. It is not an obscure patched kernel case I am afraid. If you redir an FD to a file using thus redir-ed FD in /proc allows you to bypass directory permissions for where the file is located. Thankfully, file permissions still apply so you need an app which has silly file perms in a bolted down directory for this. Symlinking the same file to a link on a normal ext3 or nfs filesystem as a sanity check shows correct permission behaviour. If you try to write to that symlink you get permission denied so the permissions on the fs actually work. No need to be root, nothing. It is not a case of "forget to drop EID or something else like that either". It looks like what it says on the tin - permission bypass. Not that I would have expected anything different considering who posted it in the first place. -- Understanding is a three-edged sword: your side, their side, and the truth. --Kosh Naranek A. R. Ivanov E-mail: anton.ivanov () kot-begemot co uk WWW: http://www.kot-begemot.co.uk/
Current thread:
- Re: /proc filesystem allows bypassing directory permissions on Linux, (continued)
- Re: /proc filesystem allows bypassing directory permissions on Linux Marco Verschuur (Oct 27)
- Re: /proc filesystem allows bypassing directory permissions on Linux psz (Oct 27)
- Re: /proc filesystem allows bypassing directory permissions on Linux Marco Verschuur (Oct 28)
- Re: /proc filesystem allows bypassing directory permissions on Linux Pavel Machek (Oct 29)
- Re: /proc filesystem allows bypassing directory permissions on Martin Rex (Oct 29)
- Re: /proc filesystem allows bypassing directory permissions on Pavel Machek (Oct 30)
- Re: /proc filesystem allows bypassing directory permissions on Linux Anton Ivanov (Oct 26)
- Re: /proc filesystem allows bypassing directory permissions on Linux Dan Yefimov (Oct 26)
- Re: /proc filesystem allows bypassing directory permissions on Linux Anton Ivanov (Oct 26)
- Re: /proc filesystem allows bypassing directory permissions on Linux Dan Yefimov (Oct 26)
- Re: /proc filesystem allows bypassing directory permissions on Linux Anton Ivanov (Oct 26)
- Re: /proc filesystem allows bypassing directory permissions on Linux Dan Yefimov (Oct 26)
- Re: /proc filesystem allows bypassing directory permissions on Linux Anton Ivanov (Oct 26)
- Re: /proc filesystem allows bypassing directory permissions on Linux Pavel Machek (Oct 29)
- Re: /proc filesystem allows bypassing directory permissions on Linux Ivan Jager (Oct 28)
- Re: /proc filesystem allows bypassing directory permissions on Linux Klaus Lichtenwalder (Oct 26)
- Re: /proc filesystem allows bypassing directory permissions on Linux Pavel Kankovsky (Oct 26)
- Re: /proc filesystem allows bypassing directory permissions on Linux Matthew Dempsky (Oct 26)