lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20120523205857.GA22643@hexapodia.org>
Date:	Wed, 23 May 2012 13:58:57 -0700
From:	Andy Isaacson <adi@...apodia.org>
To:	linux-kernel@...r.kernel.org
Cc:	Alexey Dobriyan <adobriyan@...il.com>
Subject: setreuid() results in unreadable /proc/self/fdinfo/

The enclosed testcase shows that after using setreuid to permanently
give up root privs, the process loses its ability to open
/proc/self/fdinfo (as well as some but not all other entries in
/proc/self/).

This seems to fail only with threads -- a singlethreaded program does
not show the same failure.  The failure is the same if the setreuid is
done in the parent thread (before pthread_create) or in the child
thread.

This testcase shows the same behavior on RHEL5 and on
3.4.0-rc4-00095-g95f7147.

This was originally found in Java code using the jsvc project.

A similar discussion happened 3.5 years ago (!) in
http://lkml.indiana.edu/hypermail/linux/kernel/0808.0/3350.html
(CCing Alexey.)

% cc -O2 -Wall setuid-proc-self-fd.c -o setuid-proc-self-fd -lpthread
% sudo ./setuid-proc-self-fd
uid = 0 euid = 0
uid = 1000 euid = 1000
main created thread, waiting.
/proc/self/fdinfo: Permission denied
delaying 100 seconds.
...
% sudo ls -ld /proc/`pidof setuid-proc-self-fd`{,/task/*}{,/fdinfo}
dr-xr-xr-x 7 andy root 0 May 23 13:43 /proc/31640
dr-x------ 2 root root 0 May 23 13:43 /proc/31640/fdinfo
dr-xr-xr-x 5 andy root 0 May 23 13:44 /proc/31640/task/31640
dr-x------ 2 root root 0 May 23 13:44 /proc/31640/task/31640/fdinfo
dr-xr-xr-x 5 andy root 0 May 23 13:44 /proc/31640/task/31641
dr-x------ 2 root root 0 May 23 13:44 /proc/31640/task/31641/fdinfo


#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#include <stdarg.h>

#include <unistd.h>
#include <fcntl.h>

#include <pthread.h>

void die(char *fmt, ...)
    __attribute__((noreturn))
    __attribute__((format(printf, 1, 2)));

void die(char *fmt, ...)
{
    va_list ap;

    va_start(ap, fmt);
    vfprintf(stderr, fmt, ap);
    va_end(ap);
    exit(1);
}

void *do_child(void *arg)
{
    int fd;

    if((fd = open("/proc/self/fdinfo", O_RDONLY|O_DIRECTORY)) == -1) {
	fprintf(stderr, "/proc/self/fdinfo: %s\n", strerror(errno));
	fprintf(stderr, "delaying 100 seconds.\n");
	sleep(100);
    }

    printf("fd = %d\n", fd);
    fflush(stdout);

    return 0;
}

int main(int argc, char **argv)
{
    pthread_t t;

    printf("uid = %d euid = %d\n", (int)getuid(), (int)geteuid());
    setreuid(1000,1000);
    printf("uid = %d euid = %d\n", (int)getuid(), (int)geteuid());

    pthread_create(&t, 0, do_child, 0);

    printf("main created thread, waiting.\n");

    pthread_join(t, 0);

    printf("main exiting.\n");

    return 0;
}

-andy
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ