| New User, Welcome! Login |
directory access
people who think in contorted fashion and make a lot of flawed
assumptions, though (those guys are going to create many other
security problems as well, so we should rather educate them
about avoiding flawed assumptions.
Directory access permissions are purely about access to directory
contents (which are plain names), Directory access permissions
(at least on Unix) do NOT affect access to files, and they're
NOT checked for permission on open(2) -- and have never been.
There may be a side-effect of directory access permissions when
b) unlike other hardlinks, you can't see it on the link count
(and c) writing to file descriptor opened read-only is bad).
> >Plus, you may run traditional unix/POSIX application, expecting
> >directory access controls to prevent the write. (Or can you see a way
> >to write to that file when /proc is unmounted?)
> >
> Directory permissions control an access just to the directory
> itself, not to the files in it, so your pretensions are in fact
> illegitimate.
/proc is unmounted.
I do not think mounting /proc should change access control semantics.
Plus, you may run traditional unix/POSIX application, expecting
directory access controls to prevent the write. (Or can you see a way
to write to that file when /proc is unmounted?)
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
a unrestricted location, what would you say? Procfs is in that respect just
another sort of hardlinks, whether you like that or not. If you didn't in fact
restrict an access to the file, you're on your own.
> Plus, you may run traditional unix/POSIX application, expecting
> directory access controls to prevent the write. (Or can you see a way
> to write to that file when /proc is unmounted?)
>
Directory permissions control an access just to the directory itself, not to the
files in it, so your pretensions are in fact illegitimate. Anyway, you're free
to consider that a security hole, but remember, that nobody is obliged to agree
Earlier versions may also be affected.
Overview:
1.vendor description of software
------------------------------------------------
TurboFTP Server is a high performance, secure, scalable and management friendly file transfer server running on Windows platforms. With it you can easily set up a secure file transfer server that delivers regular FTP, FTP over SSL/TLS, and "SFTP over SSH" services with virtual domains, advanced directory access control, virtual folders, IP access control, flexible authentication options and many other features.
2.vulnerability details:
------------------------------------------------
Directory Traversal Vulnerability exists in "FTP" and "SFTP" module of Turbo FTP Server that allows an authenticated user to create directories outside the root directory, which may lead to other attacks.
If you could log on the server successfully,
> b) unlike other hardlinks, you can't see it on the link count
>
> (and c) writing to file descriptor opened read-only is bad).
>
>>> Plus, you may run traditional unix/POSIX application, expecting
>>> directory access controls to prevent the write. (Or can you see a way
>>> to write to that file when /proc is unmounted?)
>>>
>> Directory permissions control an access just to the directory
>> itself, not to the files in it, so your pretensions are in fact
>> illegitimate.
- its file access semantics are not identical to the rest of the file system
(e.g. they are not really symlinks, and they are not really hard
links, and the link count is not incremented, and the average
person will have no idea about their semantics).
- it creates a pseudo-link with permissions which do not regard the directory
access controls the user had to pass authorization checks to gain access.
I still think it's not a huge deal, but I also do think it's not a
total non-issue. The fix seems clear and obvious to me: The files in
/proc/$pid are shown with the "real" path they refer to, so obviously
the kernel retains that information. Access to those files should be
> >with /proc unmounted.
> >
> I remember the original mail content. You're right, you can't reach
> the file if the procfs is not mounted, but you forget about the
> race, allowing the guest to create a hardlink to the file in an
> unrestricted location before the directory access becomes
> restricted. Again, procfs is just another, specific kind of
> hardlinks.
Check it again. There's no race; I check link count before chmod 666.
Pavel
TurboFTP Server is a high performance, secure, scalable and management
friendly file transfer server running on Windows platforms. With it you
can easily set up a secure file transfer server that delivers regular FTP,
FTP over SSL/TLS, and SFTP over SSH services with virtual domains,
advanced directory access control, virtual folders, IP access control,
flexible authentication options and many other features.
0x02 : Vulnerability details
>>> with /proc unmounted.
>>>
>> I remember the original mail content. You're right, you can't reach
>> the file if the procfs is not mounted, but you forget about the
>> race, allowing the guest to create a hardlink to the file in an
>> unrestricted location before the directory access becomes
>> restricted. Again, procfs is just another, specific kind of
>> hardlinks.
>
> Check it again. There's no race; I check link count before chmod 666.
|
|
|
