[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20091028212729.GA8027@elf.ucw.cz>
Date: Wed, 28 Oct 2009 22:27:29 +0100
From: Pavel Machek <pavel@....cz>
To: Dan Yefimov <dan@...htwave.net.ru>
Cc: bugtraq@...urityfocus.com
Subject: Re: /proc filesystem allows bypassing directory permissions on
Linux
Hi!
> >That race is easily fixed.
>
> No, you're not right.
>
> > After chmodding the directory to 0700, *first*
> >check the link count, *then* chmod the file to 0666:
> >
> > User1 creates file with permissions 0644
> > User2 opens file for read access on file descriptor 4
> > User1 chmod's directory to 0700
> > User1 verifies no hard links to file
>
> Here's a window, during which User2 is able to create a hardlink and
> that will remain unnoticed by User1. There's no way to perform link
> check and conditionally do chmod in an atomic manner.
0700 on directory prevents hardlink creation, see?
pavel@amd:/tmp$ mkdir my_dir
pavel@amd:/tmp$ cd my_dir/
pavel@amd:/tmp/my_dir$ ls
pavel@amd:/tmp/my_dir$ > foo
pavel@amd:/tmp/my_dir$ chmod 700 .
pavel@amd:/tmp/my_dir$ su guest
Password:
guest@amd:/tmp/my_dir$ ln foo /tmp/bar
ln: accessing `foo': Permission denied
guest@amd:/tmp/my_dir$
You need x bit on directory to look up foo.
> >Excluding the /proc route, at no point during this sequence, User2 could
> >have opened the file for writing. Therefore, User1 expects (justified,
> >imo) that User2 cannot write to the file. The writability of /proc/$$/fd/4
> >violates this expectation.
> >
> Again, you're not right. See above.
No, he's right, see above.
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
Powered by blists - more mailing lists