On Sat, 2009-10-24 at 20:19 +0100, Anton Ivanov wrote: > Package: linux-image-2.6.26-2-686 > Version: 2.6.26-17 > Severity: important > > > Currently discussed on bugtraq > > Cut-n-pasting the email > > Hi! > > This is forward from lkml, so no, I did not invent this > hole. Unfortunately, I do not think lkml sees this as a security hole, > so... > > Jamie Lokier said: > > > > a) the current permission model under /proc/PID/fd has a security > > > > hole (which Jamie is worried about) > > > > > > I believe its bugtraq time. Being able to reopen file with additional > > > permissions looks like a security problem... > > > > > > Jamie, do you have some test script? And do you want your 15 minutes > > > of bugtraq fame? ;-). > > > The reopen does check the inode permission, but it does not require > > you have any reachable path to the file. Someone _might_ use that as > > a traditional unix security mechanism, but if so it's probably quite rare. > > Ok, I got this, with two users. I guess it is real (but obscure) > security hole.
So obscure that it doesn't really count as important. > So, we have this scenario. pavel/root is not doing anything interesting in > the background. > > pa...@toy:/tmp$ uname -a > Linux toy.ucw.cz 2.6.32-rc3 #21 Mon Oct 19 07:32:02 CEST 2009 armv5tel > GNU/Linux > pa...@toy:/tmp mkdir my_priv; cd my_priv > pa...@toy:/tmp/my_priv$ echo this file should never be writable > > unwritable_file > # lock down directory > pa...@toy:/tmp/my_priv$ chmod 700 . > # relax file permissions, directory is private, so this is safe > # check link count on unwritable_file. We would not want someone > # to have a hard link to work around our permissions, would we? > pa...@toy:/tmp/my_priv$ chmod 666 unwritable_file [...] But who's really going to do that, other that to demonstrate this? Ben. -- Ben Hutchings The obvious mathematical breakthrough [to break modern encryption] would be development of an easy way to factor large prime numbers. - Bill Gates
signature.asc
Description: This is a digitally signed message part
