In 2.1.x (well, 78 currently), I've caused an interesting situation to
occur in /proc.
Basically, make a process that holds open a /proc/<pid>/mem file of your
choice, and then sleeps indefinitely.
Now arrange for process <pid> to exit. ie. use a temporary shell. Now, cd
/proc and do a ls. The directory <pid> will be gone, as expected (the
process no longer exists). HOWEVER YOU CAN STILL BLINDLY CD INTO THE
DIRECTORY <PID>. The file mem is shown as owned by me. The rest of the
files are shown as root.root.
At best this is a readdir/dcache inconsistency, and at worse maybe someone
can play nasty games by wrapping the pid's over back to the dubious pid?
Or cause dcache leaks/anomalies/duplicates? I invite people to play.
On the subject of /proc, I'll stick myself out on a limb and suggest that
it is the biggest single source of _potential_ kernel security problems.
Perhaps it needs a good old audit?
BTW: no one told me why Linux escaped the *BSD hole whereby you can mess
with /proc/pid/mem, then exec a suid program, and mess with its memory.
Anyone?
Chris