| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 24 Oct 2009 12:25:42 +1030 From: Daryl Tester <dt-bugtraq@...dcraftedcomputers.com.au> To: bugtraq@...urityfocus.com Subject: Re: /proc filesystem allows bypassing directory permissions on Linux Pavel Machek wrote: > So what did happen? User guest was able to work around directory > permissions in the background, using /proc filesystem. > > guest@toy:~$ bash 3< /tmp/my_priv/unwritable_file Although having an already open handle to the file is kind of cheating. :-) (well, it isn't, but I think it's a mitigating factor). > # ...until we take a way around it with /proc filesystem. Oops. > guest@toy:/tmp/my_priv$ echo got you > /proc/self/fd/3 But I understand that the check on the parent directory of the file for accessibility appears to be missing here, at least to get the same behaviour as relative file opening. Despite what Dan says regarding the behaviour as "by design", I find the /proc/fd system under Linux to be, erm, "ad hoc", and the semantics not well documented (if at all). The Linux implementation seems to be more "filename based" rather than file descriptor (which appears to be the BSD model), which has tripped me up before (e.g. <http://lkml.org/lkml/2008/8/7/25>). -- Regards, Daryl Tester "Scheme is an exotic sports car. Fast. Manual transmission. No radio. Common Lisp is Howl's Moving Castle." -- Steve Yegge, comparing Lisp families to cars.
Powered by blists - more mailing lists