Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754929Ab3H1ULx (ORCPT ); Wed, 28 Aug 2013 16:11:53 -0400 Received: from numidia.opendz.org ([98.142.220.152]:52248 "EHLO numidia.opendz.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752343Ab3H1ULv (ORCPT ); Wed, 28 Aug 2013 16:11:51 -0400 Date: Wed, 28 Aug 2013 21:11:42 +0100 From: Djalal Harouni To: Al Viro Cc: "Eric W. Biederman" , Andrew Morton , Solar Designer , Vasiliy Kulikov , Kees Cook , Linus Torvalds , Ingo Molnar , linux-kernel@vger.kernel.org, kernel-hardening@lists.openwall.com Subject: Re: [PATCH 1/2] procfs: restore 0400 permissions on /proc/*/{syscall,stack,personality} Message-ID: <20130828201141.GA21455@dztty> References: <1377534240-13227-1-git-send-email-tixxdz@opendz.org> <871u5gqtw3.fsf@xmission.com> <20130826172054.GE27005@ZenIV.linux.org.uk> <20130827172406.GA2664@dztty> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20130827172406.GA2664@dztty> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 4765 Lines: 143 Cc'ed more people, On Tue, Aug 27, 2013 at 06:24:06PM +0100, Djalal Harouni wrote: > Hi Al, > > On Mon, Aug 26, 2013 at 06:20:55PM +0100, Al Viro wrote: > > On Mon, Aug 26, 2013 at 09:49:48AM -0700, Eric W. Biederman wrote: > > > > > How does changing the permissions to S_IRUSR prevent someone from > > > opening the file before, and reading the file after a suid exec? > > > > > > > This patch restores the old mode which was 0400 > > > > > > Which seems to add no security whatsoever and obscure the fact that > > > anyone who cares can read the file so what is the point? > > > > Two words: "security sclerosis". Both patches NAKed, of course. > These particular tissues "are being hardened", no cure for them > > > More seriously, Al your commit a9712bc12c40c172e393f85 closes the races > during read() ok, but can you please share some light why the permission > mode was changed ? > > 1) > The commit log states that all these files are "rw-r--r--" which was not > correct, they were "r--------" before that commit. > > 2) > The commit log says also: > "if you open a file before the target does suid-root exec, you'll be still > able to access it." so you do the task is tracable check at read() > > But what if you open a file of a privileged target or a target that does > suid-root exec later, and pass the fd to a suid-root exec to read() from > it later, you will still pass that tracable check. > > And currently a non-privileged process can get an fd on all these > /proc/*/stack files even root owned ones. > > So why not restore the old behaviour and block a process from getting an > fd on /proc/*/stack files that belong to other processes? > > > The original thread that added the /proc/*/stack feature: > https://lkml.org/lkml/2008/11/7/109 > > They noted that it should be under 0400 permissions > > So why remove that, or why not restore the old safe behaviour ? > > > Hope to get a response > > Thanks Al Hope this will convince. Please not I'm just trying to help/contribute and get things right. If there is something obvious that I'm missing let me know, will be happy to learn tixxdz@dztty-qemu:~$ id uid=1000(tixxdz) gid=1000(tixxdz) groups=1000(tixxdz),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev) tixxdz@dztty-qemu:~$ ls -lha ./a.out -rwxr-xr-x 1 tixxdz tixxdz 8.0K Aug 28 20:26 ./a.out tixxdz@dztty-qemu:~$ ls -lha /usr/bin/procmail -rwsr-sr-x 1 root mail 88K Apr 25 2010 /usr/bin/procmail (procmail with -d needs setuid()) tixxdz@dztty-qemu:~$ for i in $(seq 1 10); do ./a.out /usr/bin/procmail /proc/$i/stack ; done tixxdz@dztty-qemu:~$ cat /var/mail/tixxdz [] poll_schedule_timeout+0x57/0xe0 [] do_select+0x8b7/0x9a0 [] core_sys_select+0x4bc/0x4f0 [] SyS_select+0xc1/0x110 [] system_call_fastpath+0x16/0x1b [] 0xffffffffffffffff [] kthreadd+0xb1/0x150 [] ret_from_fork+0x7c/0xb0 [] 0xffffffffffffffff [] smpboot_thread_fn+0x1be/0x220 [] kthread+0xd1/0xe0 [] ret_from_fork+0x7c/0xb0 [] 0xffffffffffffffff [] worker_thread+0x2e0/0x370 [] kthread+0xd1/0xe0 [] ret_from_fork+0x7c/0xb0 [] 0xffffffffffffffff [] worker_thread+0x2e0/0x370 [] kthread+0xd1/0xe0 [] ret_from_fork+0x7c/0xb0 [] 0xffffffffffffffff [] worker_thread+0x2e0/0x370 [] kthread+0xd1/0xe0 [] ret_from_fork+0x7c/0xb0 [] 0xffffffffffffffff [] smpboot_thread_fn+0x1be/0x220 [] kthread+0xd1/0xe0 [] ret_from_fork+0x7c/0xb0 [] 0xffffffffffffffff [] rcu_gp_kthread+0xe3/0x620 [] kthread+0xd1/0xe0 [] ret_from_fork+0x7c/0xb0 [] 0xffffffffffffffff [] rcu_gp_kthread+0x3a4/0x620 [] kthread+0xd1/0xe0 [] ret_from_fork+0x7c/0xb0 [] 0xffffffffffffffff [] smpboot_thread_fn+0x1be/0x220 [] kthread+0xd1/0xe0 [] ret_from_fork+0x7c/0xb0 [] 0xffffffffffffffff You have mail in /var/mail/tixxdz Thanks -- Djalal Harouni http://opendz.org -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/