Re: /proc filesystem allows bypassing directory permissions on Linux

[CaT <cat () zip com au>]

On Tue, Oct 27, 2009 at 12:29:09AM +0300, Dan Yefimov wrote:
> and testing them. Remember the scenario from the original mail and try 
> finding a window, during which creating a hardlink would still work thus 
> evading directory permissions check.

The main thing this does is allow a hardlink-like attack to work across
mountpoints afaics.

Instead of making hardlink you run something that keeps an fd open to the
file.

That said, I don't see how this is a vuln in /proc. Can you not have your
little program seek back to the beginning and re-read the file in order
to track changes?

You can't actually use /proc/*/fd to gain access to files opened by
processes you do not own. Only ones you do (at least in a mainline kernel)
which is fair enough. This means that you can't have user a open a file
owned by user b and then let user c have access to it via /proc/$pid/fd.

Or am I misreading/misunderstanding something? I've not tested all of the
above (no time). Just going off remembered experience.

-- 
  "A search of his car uncovered pornography, a homemade sex aid, women's 
  stockings and a Jack Russell terrier."
    - http://www.news.com.au/story/0%2C27574%2C24675808-421%2C00.html