Re: /proc filesystem allows bypassing directory permissions on Linux

[CaT <cat () zip com au>]

On Tue, Oct 27, 2009 at 03:34:04PM -0500, Derek Martin wrote:
> $ mkdir foo
> $ cd foo
> $ echo hi > bar
> $ ls -la
> total 12
> drwxr-xr-x  2 user1 group1 4096 2009-10-27 16:22 ./
> drwx------ 57 user1 group1 4096 2009-10-27 16:22 ../
> -rw-r--r--  1 user1 group1    3 2009-10-27 16:22 bar
> $ chmod 000 .
> $ echo bye > bar
> -bash: bar: Permission denied

I think that fails because you've removed the search bits from the dir so
bash no longer has permissions to -find- the file. Eg:

$ mkdir test
$ cd test
$ echo moo >cow
$ chmod 600 .
$ echo meow >cow
bash: cow: Permission denied

> The problem with the /proc interface is:
>
>  - it is automatic (if /proc is mounted)
>  - its file access semantics are not identical to the rest of the file system
>    (e.g. they are not really symlinks, and they are not really hard
>    links, and the link count is not incremented, and the average
>    person will have no idea about their semantics).
>  - it creates a pseudo-link with permissions which do not regard the directory
>    access controls the user had to pass authorization checks to gain access.

Would the file descriptor work differently if the program that opened the
file changed it after the victim changed the permissions on the directory?
It should be noted that 2 users have access to /proc/$pid/fd/$fd - the 
user the program is running as and root (at least that is the case on my
linux system).

-- 
  "A search of his car uncovered pornography, a homemade sex aid, women's 
  stockings and a Jack Russell terrier."
    - http://www.news.com.au/story/0%2C27574%2C24675808-421%2C00.html