lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20091025103424.2F1A.0@paddy.troja.mff.cuni.cz>
Date: Sun, 25 Oct 2009 11:13:39 +0100 (CET)
From: Pavel Kankovsky <peak@...o.troja.mff.cuni.cz>
To: Pavel Machek <pavel@....cz>
Cc: bugtraq@...urityfocus.com
Subject: Re: /proc filesystem allows bypassing directory permissions on Linux

Consider this scenario, pavel's actions are the same as in yours:

pavel & guest: cd /tmp
pavel: mkdir my_priv; cd my_priv
pavel: echo this file should never be writable > unwritable_file
guest: mkdir pirate_chest
guest: ln my_priv/unwritable_file pirate_chest
pavel: chmod 700 .
pavel: chmod 666 unwritable_file 
pavel: cat unwritable_file 
guest: echo got you > pirate_chest/unwritable_file
pavel: cat unwritable_file

pavel might have detected this attack if he checked the number of
hardlinks on "unwritable_file"  between the chmod's. But he did not
check that.

Yes, procfs makes it possible to circument directory permissions 
but it does not mean you are not playing with an armed grenade whenever 
you mix chmod with the number of the Beast.

-- 
Pavel Kankovsky aka Peak                          / Jeremiah 9:21        \
"For death is come up into our MS Windows(tm)..." \ 21st century edition /

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ