Re: /proc/<pid>/mem unreadable (was strace and linux 1.3.97)

Aaron Ucko (UCKO@vax1.rockhurst.edu)
Thu, 02 May 1996 22:17:07 -0600 (CST)


>>>>>> "?????" == unknown author writes:
>>>>>> "Aaron" == Aaron Ucko <ucko@vax1.rockhurst.edu> writes:
>>>>>> "Kevin" == Kevin M Bealer <kmb203@psu.edu> writes:
>
>
>?????> The same happened to me. The problem is that strace accesses
>?????> the tracee's memory through /proc/<pid>/mem but as of 1.3.96
>?????> any read from processes different from the one which owns the
>?????> memory fail with EACCES.
>
>Aaron> This looks like an overly-conservative patch for the
>Aaron> /proc/<pid>/mem security hole involving setuid programs. The
>Aaron> kernel should really return EACCESS only if the process we are
>Aaron> trying to read is setuid.
>
>Kevin> From what I caught of the discussion, you can start watching
>Kevin> the process's memory, then have the process 'exec' something
>Kevin> suid root, and read straight through the suid root memory.
>
>Seems to me that the answer, then, is to have /prov/<pid>/mem mod 600
>and owned by the euid of the process, rather than owned by the uid
>that ran it. Linus?

Whoops, I misspoke. It's already 600 and owned by the euid; the hole
involves opening the fd before the exec and holding on to it while it
changes modes. At that point, the fd needs to be somehow invalidated
for non-root processes.

-- Aaron Ucko (ucko@vax1.rockhurst.edu; finger for PGP public key) | httyp!
"That's right," he said. "We're philosophers. We think, therefore we am."
-- Terry Pratchett, _Small Gods_ | Geek Code 3.1 [for explanation, finger
hayden@mankato.msus.edu]: GCS/M/S/C d- s: a18 C++(+++)>++++ UL++>++++ P++
L++>+++++ E- W(-) N++(+) o+ K- w--- O M@ V-(--) PS++(+++) PE- Y(+) PGP(+) t(+)
!5 X-- R(-) tv-@ b++(+++) DI+ !D-- G++(+++) e->+++++(*) h!>+ r-(--)>+++ y?