Bug#552255: linux-image-2.6.26-2-686: /proc permission bypass

To: Anton Ivanov <arivanov@sigsegv.cx>, 552255@bugs.debian.org
Subject: Bug#552255: linux-image-2.6.26-2-686: /proc permission bypass
From: Ben Hutchings <ben@decadent.org.uk>
Date: Sat, 24 Oct 2009 21:18:36 +0100
Message-id: <[🔎] 1256415516.3916.289.camel@localhost>
Reply-to: Ben Hutchings <ben@decadent.org.uk>, 552255@bugs.debian.org
In-reply-to: <[🔎] 20091024191900.27012.30729.reportbug@mare-infinitum.sigsegv.cx>
References: <[🔎] 20091024191900.27012.30729.reportbug@mare-infinitum.sigsegv.cx>

On Sat, 2009-10-24 at 20:19 +0100, Anton Ivanov wrote:
> Package: linux-image-2.6.26-2-686
> Version: 2.6.26-17
> Severity: important
> 
> 
> Currently discussed on bugtraq
> 
> Cut-n-pasting the email
> 
> Hi!
> 
> This is forward from lkml, so no, I did not invent this
> hole. Unfortunately, I do not think lkml sees this as a security hole,
> so...
> 
> Jamie Lokier said:
> > > >  a) the current permission model under /proc/PID/fd has a security
> > > >     hole (which Jamie is worried about)
> > > 
> > > I believe its bugtraq time. Being able to reopen file with additional
> > > permissions looks like  a security problem...
> > > 
> > > Jamie, do you have some test script? And do you want your 15 minutes
> > >  of bugtraq fame? ;-).
> 
> > The reopen does check the inode permission, but it does not require
> > you have any reachable path to the file.  Someone _might_ use that as
> > a traditional unix security mechanism, but if so it's probably quite rare.
> 
> Ok, I got this, with two users. I guess it is real (but obscure)
> security hole.

So obscure that it doesn't really count as important.

> So, we have this scenario. pavel/root is not doing anything interesting in
> the background.
> 
> pavel@toy:/tmp$ uname -a
> Linux toy.ucw.cz 2.6.32-rc3 #21 Mon Oct 19 07:32:02 CEST 2009 armv5tel GNU/Linux
> pavel@toy:/tmp mkdir my_priv; cd my_priv
> pavel@toy:/tmp/my_priv$ echo this file should never be writable > unwritable_file
> # lock down directory
> pavel@toy:/tmp/my_priv$ chmod 700 .
> # relax file permissions, directory is private, so this is safe
> # check link count on unwritable_file. We would not want someone 
> # to have a hard link to work around our permissions, would we?
> pavel@toy:/tmp/my_priv$ chmod 666 unwritable_file 
[...]

But who's really going to do that, other that to demonstrate this?

Ben.

-- 
Ben Hutchings
The obvious mathematical breakthrough [to break modern encryption] would be
development of an easy way to factor large prime numbers. - Bill Gates

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to:

Follow-Ups:
- Bug#552255: linux-image-2.6.26-2-686: /proc permission bypass
  - From: Anton Ivanov <arivanov@sigsegv.cx>

References:
- Bug#552255: linux-image-2.6.26-2-686: /proc permission bypass
  - From: Anton Ivanov <arivanov@sigsegv.cx>

Prev by Date: Processed: tagging 552255, severity of 552255 is normal
Next by Date: Bug#552203: linux-headers-2.6.30-2-amd64: alsa-source does not compile against debian patched kernel headers
Previous by thread: Bug#552255: linux-image-2.6.26-2-686: /proc permission bypass
Next by thread: Bug#552255: linux-image-2.6.26-2-686: /proc permission bypass
Index(es):
- Date
- Thread