On Sun, Nov 05, 2000 at 01:02:14PM +0000, Lutz Pressler wrote:
> Hello,
>
> I do not think that the following behaviour (2.4.0-test10 on i386, also
> tested with 2.4.0-test8) is intended:
>
..
> This is bad. 2.2 kernels don't show this behavior. There _any_
> /proc/PID/cwd "directory" has no group or world permissions
> at all.
>
> I haven't looked at the code at all yet. Anybody with a fix?
I wonder that noone rospond. I can confirm this - in 2.2.x links to cwd,
exe etc. pointed to nowhere (readlink failed) when there was insufficient
privileges to enter the dir. In 2.4.x the links blindly points to directory
setting all its privileges for access by /proc. Because everyone has dirs
drwxr-xr-x in his home, such dirs now become accesible through /proc if user
is in them. This is real security leak.
ex:
[johnydog@napalm 210]$ whoami
johnydog
[johnydog@napalm 210]$ pwd
/proc/210
[johnydog@napalm 210]$ ls -l ./cwd
lrwxrwxrwx 1 root root 0 Nov 6 01:26 ./cwd -> /root/.mc
[johnydog@napalm 210]$ cd /root/.mc
bash: /root/.mc: Permission denied
[johnydog@napalm 210]$ cd cwd
[johnydog@napalm cwd]$ ls -l
total 53
-rw-r--r-- 1 root root 35 Nov 6 01:16 Tree
-rw-r--r-- 1 root root 13203 May 31 11:54 ext
-rw------- 1 root root 15952 Nov 6 01:16 history
-rw------- 1 root root 20 May 6 1998 hotlist
-rw-r--r-- 1 root root 6417 Nov 6 01:16 ini
drwx------ 2 root root 3072 Nov 6 01:16 tmp
-rw-r--r-- 1 root root 10121 Jun 30 17:04 tree
[johnydog@napalm cwd]$
Jan Dvorak <johnydog@go.cz>
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Tue Nov 07 2000 - 21:00:18 EST