lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20091026152608.GE25725@elf.ucw.cz>
Date: Mon, 26 Oct 2009 16:26:09 +0100
From: Pavel Machek <pavel@....cz>
To: Dan Yefimov <dan@...htwave.net.ru>
Cc: peak@...o.troja.mff.cuni.cz, psz@...hs.usyd.edu.au,
	bugtraq@...urityfocus.com
Subject: Re: /proc filesystem allows bypassing directory permissions on
 Linux

On Mon 2009-10-26 18:11:56, Dan Yefimov wrote:
> On 26.10.2009 18:06, Pavel Machek wrote:
> >On Mon 2009-10-26 15:37:50, Dan Yefimov wrote:
> >>On 26.10.2009 13:54, psz@...hs.usyd.edu.au wrote:
> >>>Dear Dan,
> >>>
> >>>>... in authentic kernels /proc/<PID>/fd/<FD>   are symlinks ...
> >>>
> >>>They appear to /bin/ls as symlinks, but observation suggests that they
> >>>"act" as hardlinks. Could that be fixed somehow? (I did look at the
> >>>kernel fs/proc/base.c but did not make much sense to me...)
> >>>
> >>Just looked more carefully at fs/proc/base.c. That behavior is due
> >>to proc_fd_info() called from proc_fd_link() obtains file->f_path,
> >>that in turn contains the reference to the open file dentry and
> >>hence inode. That's exactly why those symlinks behave as hardlinks.
> >>This behavior assumes, that if you were able to open the file,
> >>you've all necessary transition permissions to access it's inode.
> >>But in order to follow them you need privileges to read the process
> >>memory, which hardly restricts the impact of this behavior. I don't
> >>think this should be fixed, since /proc/<PID>/fd/ is mainly for
> >>debugging purposes.
> >
> >guest certianly does not have permission to ptrace() pavel's
> >processes, so...
> 
> But guest has permissions to ptrace() his own processes. If we
> remember your original report, he abuses input redirection of bash
> run by himself. So again, there's no real security hole here.

guest abuses ptrace permissions on his own processes to write to
pavel's files... no, that obviously is not security hole :-).

Whatever. I agree that it is obscure, but I believe that it is
security problem, and the one that should be fixed. By now, someone is
probably working for a fix. (I took a stab at patching kernel, too).

We probably should not continue this debate on bugtraq. Enough was
said already, and right people are probably already aware of this
issue.

(The debate is still relevant on lkml, so lets continue discussion
there).
									Pavel
-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ