SecurityFocus

/proc filesystem allows bypassing directory permissions on Linux Oct 23 2009 05:16PM
Pavel Machek (pavel ucw cz) (4 replies)

Re: /proc filesystem allows bypassing directory permissions on Linux Oct 26 2009 04:01PM
Tony Finch (dot dotat at) (3 replies)

Re: /proc filesystem allows bypassing directory permissions on Linux Oct 27 2009 01:06PM
Pavel Machek (pavel ucw cz)

Hi!

> >pavel@toy:/tmp$ uname -a
> >Linux toy.ucw.cz 2.6.32-rc3 #21 Mon Oct 19 07:32:02 CEST 2009 armv5tel GNU/Linux
> >pavel@toy:/tmp mkdir my_priv; cd my_priv
>
> Attacker opens my_priv and waits.
...
> >pavel@toy:/tmp/my_priv$ cat unwritable_file
> >this file should never be writable
>
> Attacker uses openat() to open and modify the "private" file.
>
> >pavel@toy:/tmp/my_priv$ cat unwritable_file
> >got you
> ># Security problem here
> >
> >Unexpected? Well, yes, to me anyway. Linux specific? Yes, I think so.
>
> Not quite, as described above: there's a permissions race which
> allowed the attacker to open the my_priv directory. Once you
> have an fd on a directory it's possible to open any file inside
> without a full-path permissions check. If you created the directory
> using `mkdir -m 0700` (eliminating the race) then you should be safe.

Ok, if linux honors O_SEARCH on directories, then you found problem
with my example. Congratulations, you were the first one :-).

I could present more complex example, pavel passing guest read-only
file descriptor over unix socket. At that point, you would not be able
to play with openat. OTOH, that example would be complex & ugly :-(.
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html

[ reply ]

Re: /proc filesystem allows bypassing directory permissions on Linux Oct 27 2009 12:05AM
psz maths usyd edu au

Re: /proc filesystem allows bypassing directory permissions on Linux Oct 26 2009 10:48PM
Matthew Dempsky (matthew dempsky org) (1 replies)

Re: /proc filesystem allows bypassing directory permissions on Linux Oct 27 2009 11:29AM
Tony Finch (dot dotat at) (2 replies)

Re: /proc filesystem allows bypassing directory permissions on Linux Oct 27 2009 08:39PM
psz maths usyd edu au (1 replies)

Re: /proc filesystem allows bypassing directory permissions on Linux Oct 28 2009 10:31PM
Glynn Clements (glynn gclements plus com)

Re: /proc filesystem allows bypassing directory permissions on Linux Oct 27 2009 04:59PM
Matthew Dempsky (matthew dempsky org)

Re: /proc filesystem allows bypassing directory permissions on Linux Oct 25 2009 10:13AM
Pavel Kankovsky (peak argo troja mff cuni cz)

Re: /proc filesystem allows bypassing directory permissions on Linux Oct 24 2009 01:55AM
Daryl Tester (dt-bugtraq handcraftedcomputers com au)

Re: /proc filesystem allows bypassing directory permissions on Linux Oct 23 2009 07:57PM
Dan Yefimov (dan lightwave net ru) (2 replies)

Re: /proc filesystem allows bypassing directory permissions on Linux Oct 24 2009 06:46AM
Derek Martin (code pizzashack org) (1 replies)

Re: /proc filesystem allows bypassing directory permissions onLinux Oct 26 2009 06:37PM
Ansgar Wiechers (bugtraq planetcobalt net) (1 replies)

Re: /proc filesystem allows bypassing directory permissions on Linux Oct 27 2009 08:34PM
Derek Martin (code pizzashack org) (1 replies)

Re: /proc filesystem allows bypassing directory permissions onLinux Oct 28 2009 09:58PM
CaT (cat zip com au)

Re: /proc filesystem allows bypassing directory permissions on Linux Oct 23 2009 09:08PM
Pavel Machek (pavel ucw cz) (2 replies)

Re: /proc filesystem allows bypassing directory permissions on Linux Oct 23 2009 11:47PM
psz maths usyd edu au (1 replies)

Re: /proc filesystem allows bypassing directory permissions on Linux Oct 24 2009 07:02PM
Pavel Machek (pavel ucw cz) (1 replies)

Re: /proc filesystem allows bypassing directory permissions on Linux Oct 25 2009 12:40AM
psz maths usyd edu au (1 replies)

Re: /proc filesystem allows bypassing directory permissions on Linux Oct 26 2009 10:42AM
Dan Yefimov (dan lightwave net ru)

Re: /proc filesystem allows bypassing directory permissions on Linux Oct 23 2009 09:24PM
Dan Yefimov (dan lightwave net ru) (1 replies)

Re: /proc filesystem allows bypassing directory permissions on Linux Oct 23 2009 09:56PM
Pavel Machek (pavel ucw cz) (2 replies)

Re: /proc filesystem allows bypassing directory permissions on Linux Oct 26 2009 06:14PM
Joel Maslak (jmaslak antelope net)

Re: /proc filesystem allows bypassing directory permissions on Linux Oct 23 2009 10:31PM
Dan Yefimov (dan lightwave net ru) (1 replies)

Re: /proc filesystem allows bypassing directory permissions on Linux Oct 26 2009 04:14PM
Stephen Harris (bugtraq spuddy org) (1 replies)

Re: /proc filesystem allows bypassing directory permissions on Linux Oct 27 2009 11:04AM
Vincent Zweije vincent+bugtraq (at) sense.xs4all (dot) nl [email concealed] (vincent+bugtraq sense xs4all nl) (1 replies)

Re: /proc filesystem allows bypassing directory permissions on Linux Oct 27 2009 05:09PM
Dan Yefimov (dan lightwave net ru) (3 replies)

Re: /proc filesystem allows bypassing directory permissions on Linux Oct 28 2009 09:27PM
Pavel Machek (pavel ucw cz) (1 replies)

Re: /proc filesystem allows bypassing directory permissions on Linux Oct 29 2009 03:24PM
Dan Yefimov (dan lightwave net ru) (1 replies)

Re: /proc filesystem allows bypassing directory permissions onLinux Oct 29 2009 07:20PM
Pavel Machek (pavel ucw cz) (1 replies)

Re: /proc filesystem allows bypassing directory permissions onLinux Oct 29 2009 08:10PM
Jim Paris (jim jtan com) (2 replies)

Re: /proc filesystem allows bypassing directory permissions on Linux Oct 30 2009 05:57PM
Marco Verschuur (marco osp nl)

Re: /proc filesystem allows bypassing directory permissions on Linux Oct 30 2009 05:22PM
Marco Verschuur (marco osp nl) (2 replies)

Re: /proc filesystem allows bypassing directory permissions onLinux Oct 30 2009 05:40PM
Jim Paris (jim jtan com) (1 replies)

Re: /proc filesystem allows bypassing directory permissions on Nov 02 2009 05:53PM
Martin Rex (Martin Rex sap com) (1 replies)

Re: /proc filesystem allows bypassing directory permissions on Nov 02 2009 07:53PM
Pavel Machek (pavel ucw cz) (1 replies)

Re: /proc filesystem allows bypassing directory permissions on Nov 02 2009 08:56PM
Gabor Gombas (gombasg sztaki hu) (1 replies)

Re: /proc filesystem allows bypassing directory permissions on Nov 02 2009 11:33PM
Martin Rex (Martin Rex sap com) (3 replies)

Re: /proc filesystem allows bypassing directory permissions on Nov 04 2009 08:29PM
Pavel Kankovsky (peak argo troja mff cuni cz)

Re: /proc filesystem allows bypassing directory permissions on Nov 03 2009 01:06PM
Dan Yefimov (dan lightwave net ru)

Re: /proc filesystem allows bypassing directory permissions on Nov 03 2009 09:32AM
Gabor Gombas (gombasg sztaki hu) (1 replies)

Re: /proc filesystem allows bypassing directory permissions on Nov 03 2009 11:17PM
psz maths usyd edu au (1 replies)

Re: /proc filesystem allows bypassing directory permissions on Nov 04 2009 08:06AM
Gabor Gombas (gombasg sztaki hu) (3 replies)

Re: /proc filesystem allows bypassing directory permissions on Nov 04 2009 10:15AM
psz maths usyd edu au (1 replies)

Re: /proc filesystem allows bypassing directory permissions on Nov 04 2009 11:40AM
Gabor Gombas (gombasg sztaki hu)

Re: /proc filesystem allows bypassing directory permissions on Nov 04 2009 08:32AM
Pavel Machek (pavel ucw cz)

Re: /proc filesystem allows bypassing directory permissions on Nov 04 2009 08:31AM
Pavel Machek (pavel ucw cz)

Re: /proc filesystem allows bypassing directory permissions on Linux Oct 30 2009 05:38PM
Pavel Machek (pavel ucw cz) (2 replies)

Re: /proc filesystem allows bypassing directory permissions on Linux Oct 30 2009 07:13PM
psz maths usyd edu au

Re: /proc filesystem allows bypassing directory permissions on Linux Oct 30 2009 06:27PM
Marco Verschuur (marco osp nl)

Re: /proc filesystem allows bypassing directory permissions on Linux Oct 28 2009 08:28PM
Vincent Zweije (vzweije zweije nl)

Re: /proc filesystem allows bypassing directory permissions on Linux Oct 28 2009 08:04PM
psz maths usyd edu au