| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 28 Oct 2009 22:27:29 +0100 From: Pavel Machek <pavel@....cz> To: Dan Yefimov <dan@...htwave.net.ru> Cc: bugtraq@...urityfocus.com Subject: Re: /proc filesystem allows bypassing directory permissions on Linux Hi! > >That race is easily fixed. > > No, you're not right. > > > After chmodding the directory to 0700, *first* > >check the link count, *then* chmod the file to 0666: > > > > User1 creates file with permissions 0644 > > User2 opens file for read access on file descriptor 4 > > User1 chmod's directory to 0700 > > User1 verifies no hard links to file > > Here's a window, during which User2 is able to create a hardlink and > that will remain unnoticed by User1. There's no way to perform link > check and conditionally do chmod in an atomic manner. 0700 on directory prevents hardlink creation, see? pavel@amd:/tmp$ mkdir my_dir pavel@amd:/tmp$ cd my_dir/ pavel@amd:/tmp/my_dir$ ls pavel@amd:/tmp/my_dir$ > foo pavel@amd:/tmp/my_dir$ chmod 700 . pavel@amd:/tmp/my_dir$ su guest Password: guest@amd:/tmp/my_dir$ ln foo /tmp/bar ln: accessing `foo': Permission denied guest@amd:/tmp/my_dir$ You need x bit on directory to look up foo. > >Excluding the /proc route, at no point during this sequence, User2 could > >have opened the file for writing. Therefore, User1 expects (justified, > >imo) that User2 cannot write to the file. The writability of /proc/$$/fd/4 > >violates this expectation. > > > Again, you're not right. See above. No, he's right, see above. Pavel -- (english) http://www.livejournal.com/~pavelmachek (cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
Powered by blists - more mailing lists