Re: [patch] /proc fix and experimental security patch

Alan Cox (alan@lxorguk.ukuu.org.uk)
Mon, 15 Jun 1998 11:40:46 +0100 (BST)


> - int ino = inode->i_ino & 0xffff;
>
> read_lock(&tasklist_lock);
> if (fill && (p = find_task_by_pid(pid)) != NULL) {
> - if (p->dumpable || ino == PROC_PID_INO) {
> - inode->i_uid = p->euid;
> - inode->i_gid = p->gid;
> - }
> + inode->i_uid = p->euid;
> + inode->i_gid = p->gid;

This appears to be a security hole.

Setuid processes in unix are driven on the basis that even if they drop the
setuid they may contain information that is 'private'. You can neither
ptrace nor core dump them. Now you appear to have added the ability to
access their 'mem' file in /proc freely

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu