Hello,
I do not think that the following behaviour (2.4.0-test10 on i386, also
tested with 2.4.0-test8) is intended:
[email protected]:~ > id
uid=503(testuser) gid=100(users) Gruppen=100(users)
[email protected]:~ > ls -lad .
drwx------ 7 testuser users 4096 Nov 5 13:38 .
[email protected]:~ > cd dir
[email protected]:~/dir > ls -la
insgesamt 16
drwxr-xr-x 3 testuser users 4096 Nov 5 13:39 .
drwx------ 7 testuser users 4096 Nov 5 13:38 ..
-rw-r--r-- 1 testuser users 7 Nov 5 13:39 file
drwxrwxr-x 2 testuser users 4096 Nov 5 13:39 subdir
Myself (lpressl, uid=500) cannot change into /home/testuser/dir,
as expected:
[email protected]:~ > cd ~testuser/dir
bash: cd: /home/testuser/dir: Permission denied
BUT: let testuser be logged in and have a process (bash) with cwd
/home/testuser/dir. Then
[email protected]:~ > ps uax |grep testuser
yields
...
testuser 588 0.0 2.1 2256 1360 tty2 S 13:38 0:00 -bash
...
[email protected]:~ > cd /proc/588
[email protected]:/proc/588 > ls -la
total 0
dr-xr-xr-x 3 testuser users 0 Nov 5 13:49 .
dr-xr-xr-x 59 root root 0 Nov 5 13:34 ..
-r--r--r-- 1 testuser users 0 Nov 5 13:49 cmdline
lrwxrwxrwx 1 testuser users 0 Nov 5 13:49 cwd -> /home/testuser/dir
-r-------- 1 testuser users 0 Nov 5 13:49 environ
lrwxrwxrwx 1 testuser users 0 Nov 5 13:49 exe -> /bin/bash
dr-x------ 2 testuser users 0 Nov 5 13:49 fd
-r--r--r-- 1 testuser users 0 Nov 5 13:49 maps
-rw------- 1 testuser users 0 Nov 5 13:49 mem
lrwxrwxrwx 1 testuser users 0 Nov 5 13:49 root -> /
-r--r--r-- 1 testuser users 0 Nov 5 13:49 stat
-r--r--r-- 1 testuser users 0 Nov 5 13:49 statm
-r--r--r-- 1 testuser users 0 Nov 5 13:49 status
cd cwd shouldn't be possible, should it? But let's see:
[email protected]:/proc/588 > cd cwd
[email protected]:/proc/588/cwd >
Oops....
[email protected]:/proc/588/cwd > ls -la
total 16
drwxr-xr-x 3 testuser users 4096 Nov 5 13:39 .
drwx------ 7 testuser users 4096 Nov 5 13:38 ..
-rw-r--r-- 1 testuser users 7 Nov 5 13:39 file
drwxrwxr-x 2 testuser users 4096 Nov 5 13:39 subdir
[email protected]:/proc/588/cwd > cat file
secret
[email protected]:/proc/588/cwd > cd subdir
[email protected]:/proc/588/cwd/subdir >
[email protected]:/proc/588/cwd/subdir > echo ohoh > newfile
[email protected]:/proc/588/cwd/subdir > ls -la
total 12
drwxrwxr-x 2 testuser users 4096 Nov 5 13:53 .
drwxr-xr-x 3 testuser users 4096 Nov 5 13:39 ..
-rw-r--r-- 1 lpressl users 5 Nov 5 13:53 newfile
This is bad. 2.2 kernels don't show this behavior. There _any_
/proc/PID/cwd "directory" has no group or world permissions
at all.
I haven't looked at the code at all yet. Anybody with a fix?
Regards,
Lutz
--
_ | Lutz Pressler | Tel: ++49-551-3700002
|_ |\ | | Service Network GmbH | FAX: ++49-551-3700009
._|ER | \|ET | Bahnhofsallee 1b | mailto:[email protected]
Service Network | D-37081 Goettingen | http://www.SerNet.DE/
On Sun, Nov 05, 2000 at 01:02:14PM +0000, Lutz Pressler wrote:
> Hello,
>
> I do not think that the following behaviour (2.4.0-test10 on i386, also
> tested with 2.4.0-test8) is intended:
>
..
> This is bad. 2.2 kernels don't show this behavior. There _any_
> /proc/PID/cwd "directory" has no group or world permissions
> at all.
>
> I haven't looked at the code at all yet. Anybody with a fix?
I wonder that noone rospond. I can confirm this - in 2.2.x links to cwd,
exe etc. pointed to nowhere (readlink failed) when there was insufficient
privileges to enter the dir. In 2.4.x the links blindly points to directory
setting all its privileges for access by /proc. Because everyone has dirs
drwxr-xr-x in his home, such dirs now become accesible through /proc if user
is in them. This is real security leak.
ex:
[[email protected] 210]$ whoami
johnydog
[[email protected] 210]$ pwd
/proc/210
[[email protected] 210]$ ls -l ./cwd
lrwxrwxrwx 1 root root 0 Nov 6 01:26 ./cwd -> /root/.mc
[[email protected] 210]$ cd /root/.mc
bash: /root/.mc: Permission denied
[[email protected] 210]$ cd cwd
[[email protected] cwd]$ ls -l
total 53
-rw-r--r-- 1 root root 35 Nov 6 01:16 Tree
-rw-r--r-- 1 root root 13203 May 31 11:54 ext
-rw------- 1 root root 15952 Nov 6 01:16 history
-rw------- 1 root root 20 May 6 1998 hotlist
-rw-r--r-- 1 root root 6417 Nov 6 01:16 ini
drwx------ 2 root root 3072 Nov 6 01:16 tmp
-rw-r--r-- 1 root root 10121 Jun 30 17:04 tree
[[email protected] cwd]$
Jan Dvorak <[email protected]>