| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <AC843CFC-5020-4281-88BD-56208DC32074@osp.nl> Date: Tue, 27 Oct 2009 21:19:19 +0100 From: Marco Verschuur <marco@....nl> To: bugtraq@...urityfocus.com Subject: Re: /proc filesystem allows bypassing directory permissions on Linux My buy.. :-( I persumed a re-use of the read-only FD, but that's not the case. I replayed it on a test-box and did some strace meanwhile and also took a look at the sourcecode of kernel/fs/proc. It seems that the /proc filedescriptor is directly referring the file inode When creating this proc-entry the user guest did have access to the file and the path via tmp, therefore a successfull filedescriptor straight to the file inode is being created, while checking th entire path towards the file. Although closing the path to the file, the actual file is made world writable due to the file permissions being 666. When guest does the "echo got you > /proc/self/fd/3" the /proc filedescriptor (which directly refers the file inode) is opened in O_WRONLY. So user guest is able to write the file. IMHO; no bug or security issue, just a misunderstanding of the mechanism... Best regards, Marco On 27 okt 2009, at 13:56, psz@...hs.usyd.edu.au wrote: > Marco Verschuur <marco@....nl> wrote: > >> And due to the actual file permissions the read-only fd can easily >> changed to read-write. > > How would you do that? Cannot use fcntl() as that would not let you. > > Cheers, Paul > > Paul Szabo psz@...hs.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/ > School of Mathematics and Statistics University of Sydney > Australia
Powered by blists - more mailing lists