Bug#552255: linux-image-2.6.26-2-686: /proc permission bypass

[Anton Ivanov <anton.ivanov@kot-begemot.co.uk>]

[snip]

> I imagine such applications are already totally insecure.

Sure, agree 100%. However, under normal circumstances they can be bolted
down by a sysadmin using directory permissions until the developers see
the light.

> 
> > Fourth, during the discussion it was claimed that this does not work on
> > Linux proper.
> 
> In a listing of /proc/self/fd the files appear with read and/or write
> permissions depending on the file descriptor mode.  But when a process
> tries to open them they are treated as symbolic links, which have no
> permissions of their own.  This is fairly obvious when looking at the
> code and it's not something we change.

I did not have the time to look at it in detail. After one of the people
on the cc-list of the actual discussion said that it does not apply to
"plain linux" and this is debian-specific I looked at the current debian
patch for .26. I saw some that there are some patches that apply to the
relevant files for proc, but I have not had the time do decipher what
they do.

> 
> > I have some doubts about the claim, but cannot verify it
> > (I am off on holiday in an hour or so). It maybe  Debian specific or
> > specific to a patch which Debian and more than one other distro is using
> > (ptrace comes to mind). I personally do not think that is the case,
> > however it is worth checking and if it is coming from the ptrace patches
> > double check if they do not introduce something worse than that
> > somewhere.
> 
> I don't know what patches you're talking about.

See above. As I said, I have not had the time to test this vs a vanilla
kernel. I am on my way to chop wood for a week instead of chopping code.
Sorry.

Will fw you the relevant email just in case it does not make the bugtraq
moderator queue.

> 
> Ben.
>