LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Linux Kernel 'proc' World Writeable File Security Bypass Vulnerability (http://www.linuxquestions.org/questions/linux-security-4/linux-kernel-proc-world-writeable-file-security-bypass-vulnerability-766472/)

win32sux 11-03-2009 07:15 AM

Linux Kernel 'proc' World Writeable File Security Bypass Vulnerability
 
At this point, there's still too much debate about this vulnerability for me to include it in the Kernel Vulns thread, even though it's now been issued a Bugtraq ID. Presumably, most of you keep an eye on Bugtraq (discussion has taken place on LKML too), so this issue wouldn't be news for you, but being able to discuss it in the comfort of LQ might be nice.

Link to the OP on Bugtraq: http://seclists.org/bugtraq/2009/Oct/179.

anomie 11-03-2009 11:33 AM

I'm really not invested in the argument one way or the other, but my take is: if you don't want a file to be written to, remove the write bit as appropriate.

That said, I could see how this idea would result in a blackhole of discussion. ;)

H_TeXMeX_H 11-03-2009 02:50 PM

I agree with Dan Yefimov, this is not a vulnerability, but a user error.

win32sux 11-03-2009 05:50 PM

Quote:

Originally Posted by H_TeXMeX_H (Post 3743088)
I agree with Dan Yefimov, this is not a vulnerability, but a user error.

What exactly do you consider the user error to be? The assigning of world-writeable permissions to the file? The assumption that the file would be protected regardless by the restrictive permissions of the directory it resides in?

exvor 11-04-2009 02:09 AM

I found reading about this very interesting even if some of it is lost on me. Its odd why going though proc would bypass security on the file or am I missing something. Can you use other devices other then fd to accomplish this or is this specific to that?

H_TeXMeX_H 11-04-2009 01:46 PM

Quote:

Originally Posted by win32sux (Post 3743350)
What exactly do you consider the user error to be? The assigning of world-writeable permissions to the file? The assumption that the file would be protected regardless by the restrictive permissions of the directory it resides in?

Well, the main thing the author of this bug does not understand is that /proc or procfs is actually just a set of hard links, or acts like it.

If you do not set the permissions on a file itself correctly, not the directory above, then you cannot expect that you cannot read it. Also, like Dan says here:
http://seclists.org/bugtraq/2009/Oct/291
what the author describes would not happen if the directory permissions were set correctly upon creation.

I can't say that I fully understand exactly what is going on, but it seems that this is no bug. It is that the user expects something that is not to be expected.

jpaugh 11-24-2009 03:04 PM

Whether this is actually a security hole--i.e. software behaving differently than specification--or simply a case of the user misunderstanding the specification, I think it should be "fixed," because it is a problem. I think the privilege level of a directory should represent the maximum privilege level of all contained files (and sub-folders). Either that, or creation of a new file should result in that file inheriting the read/write privileges of its parent, so that at least the parent's privileges becomes the default for all of the files within it.

GazL 11-24-2009 04:02 PM

I agree with H_Tex, it looks like a pretty standard example of a race condition. The guy should lock down the directory THEN create the file.

User error, but perhaps I'm missing something if it's getting as much discussion as it appears to be.


All times are GMT -5. The time now is 01:30 PM.