LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

View Poll Results: Do you think this is a security bug which needs fixing?
Yes 8 66.67%
No 4 33.33%
Voters: 12. You may not vote on this poll

Reply
 
Search this Thread
Old 11-03-2009, 07:15 AM   #1
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Linux Kernel 'proc' World Writeable File Security Bypass Vulnerability


At this point, there's still too much debate about this vulnerability for me to include it in the Kernel Vulns thread, even though it's now been issued a Bugtraq ID. Presumably, most of you keep an eye on Bugtraq (discussion has taken place on LKML too), so this issue wouldn't be news for you, but being able to discuss it in the comfort of LQ might be nice.

Link to the OP on Bugtraq: http://seclists.org/bugtraq/2009/Oct/179.

Last edited by win32sux; 11-03-2009 at 08:53 AM. Reason: Added link to OP.
 
Old 11-03-2009, 11:33 AM   #2
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
I'm really not invested in the argument one way or the other, but my take is: if you don't want a file to be written to, remove the write bit as appropriate.

That said, I could see how this idea would result in a blackhole of discussion.
 
Old 11-03-2009, 02:50 PM   #3
H_TeXMeX_H
Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269
I agree with Dan Yefimov, this is not a vulnerability, but a user error.
 
Old 11-03-2009, 05:50 PM   #4
win32sux
Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Original Poster
Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Quote:
Originally Posted by H_TeXMeX_H View Post
I agree with Dan Yefimov, this is not a vulnerability, but a user error.
What exactly do you consider the user error to be? The assigning of world-writeable permissions to the file? The assumption that the file would be protected regardless by the restrictive permissions of the directory it resides in?

Last edited by win32sux; 11-03-2009 at 09:04 PM.
 
Old 11-04-2009, 02:09 AM   #5
exvor
Senior Member
 
Registered: Jul 2004
Location: Phoenix, Arizona
Distribution: LFS-Version SVN-20091202, Arch 2009.08
Posts: 1,484

Rep: Reputation: 66
I found reading about this very interesting even if some of it is lost on me. Its odd why going though proc would bypass security on the file or am I missing something. Can you use other devices other then fd to accomplish this or is this specific to that?
 
Old 11-04-2009, 01:46 PM   #6
H_TeXMeX_H
Guru
 
Registered: Oct 2005
Location: $RANDOM
Distribution: slackware64
Posts: 12,928
Blog Entries: 2

Rep: Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269Reputation: 1269
Quote:
Originally Posted by win32sux View Post
What exactly do you consider the user error to be? The assigning of world-writeable permissions to the file? The assumption that the file would be protected regardless by the restrictive permissions of the directory it resides in?
Well, the main thing the author of this bug does not understand is that /proc or procfs is actually just a set of hard links, or acts like it.

If you do not set the permissions on a file itself correctly, not the directory above, then you cannot expect that you cannot read it. Also, like Dan says here:
http://seclists.org/bugtraq/2009/Oct/291
what the author describes would not happen if the directory permissions were set correctly upon creation.

I can't say that I fully understand exactly what is going on, but it seems that this is no bug. It is that the user expects something that is not to be expected.
 
Old 11-24-2009, 03:04 PM   #7
jpaugh
LQ Newbie
 
Registered: Aug 2009
Posts: 2

Rep: Reputation: 0
Whether this is actually a security hole--i.e. software behaving differently than specification--or simply a case of the user misunderstanding the specification, I think it should be "fixed," because it is a problem. I think the privilege level of a directory should represent the maximum privilege level of all contained files (and sub-folders). Either that, or creation of a new file should result in that file inheriting the read/write privileges of its parent, so that at least the parent's privileges becomes the default for all of the files within it.
 
Old 11-24-2009, 04:02 PM   #8
GazL
Senior Member
 
Registered: May 2008
Posts: 3,330

Rep: Reputation: 884Reputation: 884Reputation: 884Reputation: 884Reputation: 884Reputation: 884Reputation: 884
I agree with H_Tex, it looks like a pretty standard example of a race condition. The guy should lock down the directory THEN create the file.

User error, but perhaps I'm missing something if it's getting as much discussion as it appears to be.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
World Writeable System Files mccartjd Linux - Newbie 6 06-02-2008 05:58 AM
world writeable files will not stay world writeable antken Mandriva 1 03-02-2004 05:04 PM
What if making /var/mail world-writeable? J_Szucs Linux - Security 4 08-18-2002 09:33 AM


All times are GMT -5. The time now is 01:38 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration