Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: /proc filesystem allows bypassing directory permissions on Linux

From: Dan Yefimov <dan () lightwave net ru>
Date: Thu, 29 Oct 2009 18:24:01 +0300
On 29.10.2009 0:27, Pavel Machek wrote:

That race is easily fixed.


No, you're not right.


After chmodding the directory to 0700, *first*
check the link count, *then* chmod the file to 0666:

     User1 creates file with permissions 0644
                     User2 opens file for read access on file descriptor 4
     User1 chmod's directory to 0700
     User1 verifies no hard links to file


Here's a window, during which User2 is able to create a hardlink and
that will remain unnoticed by User1. There's no way to perform link
check and conditionally do chmod in an atomic manner.


0700 on directory prevents hardlink creation, see?
Do you still remember about openat()? If the directory was created with 0700 mode from the origin, you would be right, and procfs wouldn't allow opening files in that directory too, but if you let others to traverse that directory and open your believed to be secure files from the origin, it's your fault. 
--

Sincerely Your, Dan.
Previous By Date Next
Previous By Thread Next

Current thread: