Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: /proc filesystem allows bypassing directory permissions on Linux

From: Pavel Machek <pavel () ucw cz>
Date: Wed, 28 Oct 2009 22:30:37 +0100
On Tue 2009-10-27 11:49:32, CaT wrote:

On Tue, Oct 27, 2009 at 12:29:09AM +0300, Dan Yefimov wrote:

and testing them. Remember the scenario from the original mail and try 
finding a window, during which creating a hardlink would still work thus 
evading directory permissions check.


The main thing this does is allow a hardlink-like attack to work across
mountpoints afaics.


Yes, plus it allows "hardlinks" on deleted files, and this "strange
hard links" can not be seen on link count.


You can't actually use /proc/*/fd to gain access to files opened by
processes you do not own. Only ones you do (at least in a mainline kernel)
which is fair enough. This means that you can't have user a open a file
owned by user b and then let user c have access to it via
/proc/$pid/fd.


No, but you can upgrade file from read-only to read-write using /proc.
                                                                        Pavel
-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
Previous By Date Next
Previous By Thread Next

Current thread: