[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <200910261530.n9QFUYHr013930@dm-holland-02.uk.sun.com>
Date: Mon, 26 Oct 2009 16:30:34 +0100
From: Casper.Dik@....com
To: Pavel Machek <pavel@....cz>
Cc: Dan Yefimov <dan@...htwave.net.ru>,
Matthew Bergin <matt.bergin@...mail.com>, bugtraq@...urityfocus.com
Subject: Re: /proc filesystem allows bypassing directory permissions on Linux
Pavel Machek wrote:
>On Sat 2009-10-24 01:12:51, Dan Yefimov wrote:
>> On 24.10.2009 0:35, Matthew Bergin wrote:
>> >doesnt look like the original owner is trying to write to it. Shows it
>> >cant, it had guest write to it via the proc folders bad permissions.
>> >Looks legitimate
>> >
>> Please tell me, who issued 'chmod 0666 unwritable_file'? Was that an
>> attacker? No, that was the owner of 'unwritable_file', nobody else.
>> What the 0666 file mode means? It means, that everybody can write to
>> the file, can't he? So why do you believe that pretension
>> legitimate?
>
>Original owner did chmod 666... after making sure traditional unix
>permissions protect the file. Please look at original mail; it was
>subtle but I believe I got it right, and file would not be writable
>with /proc unmounted.
In Solaris, you don't have permission to access a file in /proc/<pid>/fd unless
you can control the process <pid>.
$ ls -l /proc/1/fd
/proc/1/fd: Permission denied
If you can control <pid>, then clearly you have access the file anyway
simply by controlling it using a debugger.
I agree with Pavel's assessment here.
Casper
Powered by blists - more mailing lists