Re: /proc filesystem allows bypassing directory permissions on Linux

[Stephen Harris <bugtraq () spuddy org>]

On Sat, Oct 24, 2009 at 02:31:47AM +0400, Dan Yefimov wrote:
> On 24.10.2009 1:56, Pavel Machek wrote:

> > a) this kind of hardlink does not exist when /proc is mounted (and on
> > non-Linux)

> > (and c) writing to file descriptor opened read-only is bad).

> Did you think of creating a hardlink to the file in an unrestricted 
> location?

Pavel considered that in his original mail, where he checked there were
no links.

Pavel wrote his email in a convoluted way, so it's not clear what's going
on.  Here's an attempt to rewrite:

User1 creates file with permissions 0644
                    User2 opens file for read access on file descriptor 4
User1 chmod's directory to 0700
User1 chmod's file to 0666
User1 verifies no hard links to file
                    User2 can not open the file for read or write access
                    User2 can not write to file descriptor 4
                    User2 _can_ write to /proc/$$/fd/4

Now user2 is expected to be able to have read-access to the file via
(he opened it in step 2).  If he attempts to write with ">&4" then it
silently fails (on Linux, anyway).  But access via /proc/$$/fd/4 allows
write access.

The real concern appears to be that user2 can write to a file descriptor
opened for read access.

A fix would be to have a mask against every procfs "fd" entry that matches
the open() mode of the file descriptor (or perhaps the mode of the file
when it was opened?).  Thus a write to /proc/$$/fd/4 would fail because
the mask on fd4 would be "read".

I think this is of (very) small concern (no one in their right mind
would do this) but it is an unexpected result and breaks the principle
of least surprise.

FWIW, the same "issue" exists on Solaris 10.  It's not Linux specific.

-- 

rgds
Stephen