[snip] > I imagine such applications are already totally insecure.
Sure, agree 100%. However, under normal circumstances they can be bolted down by a sysadmin using directory permissions until the developers see the light. > > > Fourth, during the discussion it was claimed that this does not work on > > Linux proper. > > In a listing of /proc/self/fd the files appear with read and/or write > permissions depending on the file descriptor mode. But when a process > tries to open them they are treated as symbolic links, which have no > permissions of their own. This is fairly obvious when looking at the > code and it's not something we change. I did not have the time to look at it in detail. After one of the people on the cc-list of the actual discussion said that it does not apply to "plain linux" and this is debian-specific I looked at the current debian patch for .26. I saw some that there are some patches that apply to the relevant files for proc, but I have not had the time do decipher what they do. > > > I have some doubts about the claim, but cannot verify it > > (I am off on holiday in an hour or so). It maybe Debian specific or > > specific to a patch which Debian and more than one other distro is using > > (ptrace comes to mind). I personally do not think that is the case, > > however it is worth checking and if it is coming from the ptrace patches > > double check if they do not introduce something worse than that > > somewhere. > > I don't know what patches you're talking about. See above. As I said, I have not had the time to test this vs a vanilla kernel. I am on my way to chop wood for a week instead of chopping code. Sorry. Will fw you the relevant email just in case it does not make the bugtraq moderator queue. > > Ben. > -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
