lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20091028215837.GK3780@zip.com.au>
Date: Thu, 29 Oct 2009 08:58:37 +1100
From: CaT <cat@....com.au>
To: Ansgar Wiechers <bugtraq@...netcobalt.net>,
	bugtraq@...urityfocus.com
Subject: Re: /proc filesystem allows bypassing directory permissions on
	Linux

On Tue, Oct 27, 2009 at 03:34:04PM -0500, Derek Martin wrote:
> $ mkdir foo
> $ cd foo
> $ echo hi > bar
> $ ls -la
> total 12
> drwxr-xr-x  2 user1 group1 4096 2009-10-27 16:22 ./
> drwx------ 57 user1 group1 4096 2009-10-27 16:22 ../
> -rw-r--r--  1 user1 group1    3 2009-10-27 16:22 bar
> $ chmod 000 .
> $ echo bye > bar
> -bash: bar: Permission denied

I think that fails because you've removed the search bits from the dir so
bash no longer has permissions to -find- the file. Eg:

$ mkdir test
$ cd test
$ echo moo >cow
$ chmod 600 .
$ echo meow >cow
bash: cow: Permission denied

> The problem with the /proc interface is:
> 
>  - it is automatic (if /proc is mounted)
>  - its file access semantics are not identical to the rest of the file system
>    (e.g. they are not really symlinks, and they are not really hard
>    links, and the link count is not incremented, and the average
>    person will have no idea about their semantics).
>  - it creates a pseudo-link with permissions which do not regard the directory
>    access controls the user had to pass authorization checks to gain access.

Would the file descriptor work differently if the program that opened the
file changed it after the victim changed the permissions on the directory?
It should be noted that 2 users have access to /proc/$pid/fd/$fd - the 
user the program is running as and root (at least that is the case on my
linux system).

-- 
  "A search of his car uncovered pornography, a homemade sex aid, women's 
  stockings and a Jack Russell terrier."
    - http://www.news.com.au/story/0%2C27574%2C24675808-421%2C00.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ