Date: Sat, 06 Nov 1999 13:06:34 -0700 From: Warner Losh <imp@village.org> To: "Daniel C. Sobral" <dcs@newsguy.com> Cc: David Malone <dwmalone@maths.tcd.ie>, freebsd-hackers@FreeBSD.ORG Subject: Re: Procfs' pointers to files. Message-ID: <199911062006.NAA00573@harmony.village.org> In-Reply-To: Your message of "Sun, 07 Nov 1999 02:25:55 %2B0900." <382464A3.F8A3ADA7@newsguy.com> References: <382464A3.F8A3ADA7@newsguy.com> <199910291530.aa28972@salmon.maths.tcd.ie>
next in thread | previous in thread | raw e-mail | index | archive | help
> Is this a real problem, or is it a "well don't protect suid > executables that way" problem? The permissions used in Linux's > /proc seem to be more conservative and seem to prevent this. Yes. This is a real problem. One of the security team has had patches since before FreeBSD CON. There are other related problems. The easy way out is to remove file completely, but there were some objections to doing that, so things haven't been committed. : Err... I don't see the problem. The permissions of the hardlink will : be different, so the user might be able to see the "code", but won't : be able to run the suid (because the hardlink won't have the suid : bit set). There are ways that the user can see the code to execute it, but not read it normally. procfs breaches this inability to read the file. Also, there are many related problems which make a proper fix for this that is more complicated than removing /proc/xxx/file nearly impossible. "Proper" here means "A fix which will prevent the disclosure of a file to unauthorized people which would normally not be able to read the file." I'm convinced that it would be hard to codify all the security checks needed to access the file originally into a single number which would allow people that could read the original file to read /proc/xxx/file and disallow people who couldn't read the file to also be disallowed from reading /proc/xxx/file. The example that convinced me of this is /a/b/foo. /a mode 750 user joe group joeys /a/b mode 750 user bob group briggs /a/b/foo mode 555 user tim group timbo What should the owner/group of /proc/xxx/file be? One option would be 550 user tim, group timbo. However, this allows users that are in group timbo, but aren't in group briggs AND joeys to read the file. Another option would be 500 user tim group timbo, but this then disallows people that are in groups timbo, brigs and joeys, who aren't user tim from reading the file (as well as others who could read /a/b/foo). There is not one number for the example (or other more complicated ones that I could construct) that works exactly the same as the filesystem does. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199911062006.NAA00573>