Hi to all,
Sorry for my bad english.
Just discovered this security problem on my Suse 11 (Linux xxxx
2.6.25.18-0.2-pae #1 SMP 2008-10-21 16:30:26 +0200 i686 i686 i386
GNU/Linux) and my Slackware 10.1.0 (Linux xxxx 2.4.29-ow1 #1 Wed Feb 2
00:05:42 CET 2005 i586 unknown unknown GNU/Linux) with OpenWall patch.
If a FD is opened on a allowed file and then the permission is changed
the file is still redeable starting from the already read position to
the EOF.
This is the scenario:
<root> creates a file /tmp/aaaa with 666 permission an with the "test"
string inside it
xxx:/tmp # echo test > /tmp/aaaa
xxx:/tmp # chmod 666 /tmp/aaaa
<sb> opens this file hooking it in a shell as FD number 3
sb@xxx:~> bash 3< /tmp/aaaa
<sb> read and prints it
sb@xxx:~> read a <&3
sb@xxx:~> echo $a
test
sb@xxx:~>
...anythig as expected...
<root> changes the permissions on file to 600 and changes its content
into "test o.o I cannot believe it..."
xxx:/tmp # chmod 600 /tmp/aaaa
xxx:/tmp # echo "test o.o I cannot believe it..." > /tmp/aaaa
<sb> continue to try reading the file
sb@xxx:~> read a <&3
sb@xxx:~> echo $a
o.o I cannot believe it...
sb@test:~>
... and this is not expected...
Writing control seems to be working fine... "bash: echo: write error:
Bad file descriptor"
Hope this can help...
Thanks to all
Alessandro Soraruf
On Fri, Oct 23, 2009 at 10:00:47PM +0200, NiTRo wrote:
> Hi to all,
> Sorry for my bad english.
> Just discovered this security problem on my Suse 11 (Linux xxxx
You did not.
http://lkml.org/lkml/2009/10/23/159
> 2.6.25.18-0.2-pae #1 SMP 2008-10-21 16:30:26 +0200 i686 i686 i386
> GNU/Linux) and my Slackware 10.1.0 (Linux xxxx 2.4.29-ow1 #1 Wed Feb 2
> 00:05:42 CET 2005 i586 unknown unknown GNU/Linux) with OpenWall patch.
> If a FD is opened on a allowed file and then the permission is changed
> the file is still redeable starting from the already read position to
> the EOF.
>
> This is the scenario:
>
> <root> creates a file /tmp/aaaa with 666 permission an with the "test"
> string inside it
> xxx:/tmp # echo test > /tmp/aaaa
> xxx:/tmp # chmod 666 /tmp/aaaa
> <sb> opens this file hooking it in a shell as FD number 3
> sb@xxx:~> bash 3< /tmp/aaaa
> <sb> read and prints it
> sb@xxx:~> read a <&3
> sb@xxx:~> echo $a
> test
> sb@xxx:~>
> ...anythig as expected...
> <root> changes the permissions on file to 600 and changes its content
> into "test o.o I cannot believe it..."
> xxx:/tmp # chmod 600 /tmp/aaaa
> xxx:/tmp # echo "test o.o I cannot believe it..." > /tmp/aaaa
> <sb> continue to try reading the file
> sb@xxx:~> read a <&3
> sb@xxx:~> echo $a
> o.o I cannot believe it...
> sb@test:~>
> ... and this is not expected...
>
> Writing control seems to be working fine... "bash: echo: write error:
> Bad file descriptor"
>
> Hope this can help...
>
> Thanks to all
> Alessandro Soraruf
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to [email protected]
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
On Fri 2009-10-23 22:44:44, Marcin Slusarz wrote:
> On Fri, Oct 23, 2009 at 10:00:47PM +0200, NiTRo wrote:
> > Hi to all,
> > Sorry for my bad english.
> > Just discovered this security problem on my Suse 11 (Linux xxxx
>
> You did not.
> http://lkml.org/lkml/2009/10/23/159
Actually, no, this is something different... and old/known AFAICT.
> > 2.6.25.18-0.2-pae #1 SMP 2008-10-21 16:30:26 +0200 i686 i686 i386
> > GNU/Linux) and my Slackware 10.1.0 (Linux xxxx 2.4.29-ow1 #1 Wed Feb 2
> > 00:05:42 CET 2005 i586 unknown unknown GNU/Linux) with OpenWall patch.
> > If a FD is opened on a allowed file and then the permission is changed
> > the file is still redeable starting from the already read position to
> > the EOF.
> >
> > This is the scenario:
> >
> > <root> creates a file /tmp/aaaa with 666 permission an with the "test"
> > string inside it
> > xxx:/tmp # echo test > /tmp/aaaa
> > xxx:/tmp # chmod 666 /tmp/aaaa
> > <sb> opens this file hooking it in a shell as FD number 3
> > sb@xxx:~> bash 3< /tmp/aaaa
> > <sb> read and prints it
> > sb@xxx:~> read a <&3
> > sb@xxx:~> echo $a
> > test
> > sb@xxx:~>
> > ...anythig as expected...
> > <root> changes the permissions on file to 600 and changes its content
> > into "test o.o I cannot believe it..."
> > xxx:/tmp # chmod 600 /tmp/aaaa
> > xxx:/tmp # echo "test o.o I cannot believe it..." > /tmp/aaaa
> > <sb> continue to try reading the file
> > sb@xxx:~> read a <&3
> > sb@xxx:~> echo $a
> > o.o I cannot believe it...
> > sb@test:~>
> > ... and this is not expected...
Really? I'd expect it. I have file open for reading, you wrote
something new to it, so I can read it back. What is the problem?
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
On Fri 2009-10-23 22:00:47, NiTRo wrote:
> Hi to all,
> Sorry for my bad english.
> Just discovered this security problem on my Suse 11 (Linux xxxx
> 2.6.25.18-0.2-pae #1 SMP 2008-10-21 16:30:26 +0200 i686 i686 i386
> GNU/Linux) and my Slackware 10.1.0 (Linux xxxx 2.4.29-ow1 #1 Wed Feb 2
> 00:05:42 CET 2005 i586 unknown unknown GNU/Linux) with OpenWall patch.
> If a FD is opened on a allowed file and then the permission is changed
> the file is still redeable starting from the already read position to
> the EOF.
There's no reason you could not even seek. And no, it is not a
problem, it is just how unix works.
Pavel
> This is the scenario:
>
> <root> creates a file /tmp/aaaa with 666 permission an with the "test"
> string inside it
> xxx:/tmp # echo test > /tmp/aaaa
> xxx:/tmp # chmod 666 /tmp/aaaa
> <sb> opens this file hooking it in a shell as FD number 3
> sb@xxx:~> bash 3< /tmp/aaaa
> <sb> read and prints it
> sb@xxx:~> read a <&3
> sb@xxx:~> echo $a
> test
> sb@xxx:~>
> ...anythig as expected...
> <root> changes the permissions on file to 600 and changes its content
> into "test o.o I cannot believe it..."
> xxx:/tmp # chmod 600 /tmp/aaaa
> xxx:/tmp # echo "test o.o I cannot believe it..." > /tmp/aaaa
> <sb> continue to try reading the file
> sb@xxx:~> read a <&3
> sb@xxx:~> echo $a
> o.o I cannot believe it...
> sb@test:~>
> ... and this is not expected...
But it should be :-).
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html
Pavel Machek ha scritto:
> On Fri 2009-10-23 22:44:44, Marcin Slusarz wrote:
>
>> On Fri, Oct 23, 2009 at 10:00:47PM +0200, NiTRo wrote:
>>
>>> Hi to all,
>>> Sorry for my bad english.
>>> Just discovered this security problem on my Suse 11 (Linux xxxx
>>>
>> You did not.
>> http://lkml.org/lkml/2009/10/23/159
>>
>
> Actually, no, this is something different... and old/known AFAICT.
>
Marcin, I just saw this, it's quite similar, right... But I don't fall back to /proc/self/fd for reading... I still use the same FD...
>
>>> 2.6.25.18-0.2-pae #1 SMP 2008-10-21 16:30:26 +0200 i686 i686 i386
>>> GNU/Linux) and my Slackware 10.1.0 (Linux xxxx 2.4.29-ow1 #1 Wed Feb 2
>>> 00:05:42 CET 2005 i586 unknown unknown GNU/Linux) with OpenWall patch.
>>> If a FD is opened on a allowed file and then the permission is changed
>>> the file is still redeable starting from the already read position to
>>> the EOF.
>>>
>>> This is the scenario:
>>>
>>> <root> creates a file /tmp/aaaa with 666 permission an with the "test"
>>> string inside it
>>> xxx:/tmp # echo test > /tmp/aaaa
>>> xxx:/tmp # chmod 666 /tmp/aaaa
>>> <sb> opens this file hooking it in a shell as FD number 3
>>> sb@xxx:~> bash 3< /tmp/aaaa
>>> <sb> read and prints it
>>> sb@xxx:~> read a <&3
>>> sb@xxx:~> echo $a
>>> test
>>> sb@xxx:~>
>>> ...anythig as expected...
>>> <root> changes the permissions on file to 600 and changes its content
>>> into "test o.o I cannot believe it..."
>>> xxx:/tmp # chmod 600 /tmp/aaaa
>>> xxx:/tmp # echo "test o.o I cannot believe it..." > /tmp/aaaa
>>> <sb> continue to try reading the file
>>> sb@xxx:~> read a <&3
>>> sb@xxx:~> echo $a
>>> o.o I cannot believe it...
>>> sb@test:~>
>>> ... and this is not expected...
>>>
>
>
> Really? I'd expect it. I have file open for reading, you wrote
> something new to it, so I can read it back. What is the problem?
> Pavel
>
I sow the second mail to... Shurely you have right... I'm sorry for this
"no-bug"...
I'd expect a read error due to permissions change... Sorry
Thanks a lot
Alessandro
NiTRo wrote:
> Just discovered this security problem [...]
>If a FD is opened on a allowed file and then the permission is changed
>the file is still redeable starting from the already read position to
>the EOF.
This is not a security problem; this is Unix working as designed.
That's how file descriptors work. File permissions are checked when
the file is opened, not on every read/write to the file descriptor.
That's a pretty fundamental aspect of how Unix works, and it is
well-documented and well-understood.
On the other hand, the /proc attack that Pavel explains *is* a
security problem. But that's different.
> On the other hand, the /proc attack that Pavel explains *is* a
> security problem. But that's different.
I'm glad I convinced at least someone :-). Thanks,
Pavel
--
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html