Re: /proc filesystem allows bypassing directory permissions on Linux

From: Daryl Tester <dt-bugtraq@handcraftedcomputers.com.au>
To: bugtraq@securityfocus.com
Cc:
Subject: Re: /proc filesystem allows bypassing directory permissions on Linux
Date:


Pavel Machek wrote:

> So what did happen? User guest was able to work around directory
> permissions in the background, using /proc filesystem.
> 
> guest@toy:~$ bash 3< /tmp/my_priv/unwritable_file 

Although having an already open handle to the file is kind of cheating. :-)
(well, it isn't, but I think it's a mitigating factor).

> # ...until we take a way around it with /proc filesystem. Oops.
> guest@toy:/tmp/my_priv$ echo got you > /proc/self/fd/3 

But I understand that the check on the parent directory of the file for
accessibility appears to be missing here, at least to get the same behaviour
as relative file opening.  Despite what Dan says regarding the behaviour as
"by design", I find the /proc/fd system under Linux to be, erm, "ad hoc", and
the semantics not well documented (if at all).  The Linux implementation seems
to be more "filename based" rather than file descriptor (which appears to be
the BSD model), which has tripped me up before (e.g.
<http://lkml.org/lkml/2008/8/7/25>).


-- 
Regards,
  Daryl Tester

"Scheme is an exotic sports car. Fast. Manual transmission. No radio.
 Common Lisp is Howl's Moving Castle."
  -- Steve Yegge, comparing Lisp families to cars.





Copyright © 1995-2018 LinuxRocket.net. All rights reserved.