| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 29 Oct 2009 18:24:01 +0300 From: Dan Yefimov <dan@...htwave.net.ru> To: Pavel Machek <pavel@....cz> Cc: bugtraq@...urityfocus.com Subject: Re: /proc filesystem allows bypassing directory permissions on Linux On 29.10.2009 0:27, Pavel Machek wrote: >>> That race is easily fixed. >> >> No, you're not right. >> >>> After chmodding the directory to 0700, *first* >>> check the link count, *then* chmod the file to 0666: >>> >>> User1 creates file with permissions 0644 >>> User2 opens file for read access on file descriptor 4 >>> User1 chmod's directory to 0700 >>> User1 verifies no hard links to file >> >> Here's a window, during which User2 is able to create a hardlink and >> that will remain unnoticed by User1. There's no way to perform link >> check and conditionally do chmod in an atomic manner. > > 0700 on directory prevents hardlink creation, see? > Do you still remember about openat()? If the directory was created with 0700 mode from the origin, you would be right, and procfs wouldn't allow opening files in that directory too, but if you let others to traverse that directory and open your believed to be secure files from the origin, it's your fault. -- Sincerely Your, Dan.
Powered by blists - more mailing lists