|
|
 |
| New User, Welcome! Login |
Re: /proc filesystem allows bypassing directory permissions on Linux
| From: |
Marco Verschuur <marco osp nl> |
| To: |
bugtraq securityfocus com |
| Cc: |
|
| Subject: |
Re: /proc filesystem allows bypassing directory permissions on Linux |
| Date: |
Tue - Oct 27, 2009 01:19 PM |
My buy.. :-( I persumed a re-use of the read-only FD, but that's not
the case.
I replayed it on a test-box and did some strace meanwhile and also
took a look
at the sourcecode of kernel/fs/proc.
It seems that the /proc filedescriptor is directly referring the file
inode
When creating this proc-entry the user guest did have access to the
file and the path via tmp,
therefore a successfull filedescriptor straight to the file inode is
being created, while checking
th entire path towards the file.
Although closing the path to the file, the actual file is made world
writable due to the file permissions being 666.
When guest does the "echo got you > /proc/self/fd/3" the /proc
filedescriptor (which directly refers the file inode)
is opened in O_WRONLY. So user guest is able to write the file.
IMHO; no bug or security issue, just a misunderstanding of the
mechanism...
Best regards,
Marco
On 27 okt 2009, at 13:56, psz@maths.usyd.edu.au wrote:
> Marco Verschuur <marco@osp.nl> wrote:
>
>> And due to the actual file permissions the read-only fd can easily
>> changed to read-write.
>
> How would you do that? Cannot use fcntl() as that would not let you.
>
> Cheers, Paul
>
> Paul Szabo psz@maths.usyd.edu.au http://www.maths.usyd.edu.au/u/psz/
> School of Mathematics and Statistics University of Sydney
> Australia
|
|
|
Copyright © 1995-2012 LinuxRocket.net. All rights reserved.
Nearly all of LinuxRocket's features are free. Be kind and donate to the cause!
