Re: /proc filesystem allows bypassing directory permissions on Linux

[Pavel Machek <pavel () ucw cz>]

Hi!

> > That race is easily fixed.
>
> No, you're not right.
>
> > After chmodding the directory to 0700, *first*
> > check the link count, *then* chmod the file to 0666:
> >
> >     User1 creates file with permissions 0644
> >                     User2 opens file for read access on file descriptor 4
> >     User1 chmod's directory to 0700
> >     User1 verifies no hard links to file
>
> Here's a window, during which User2 is able to create a hardlink and
> that will remain unnoticed by User1. There's no way to perform link
> check and conditionally do chmod in an atomic manner.

0700 on directory prevents hardlink creation, see?

pavel@amd:/tmp$ mkdir my_dir
pavel@amd:/tmp$ cd my_dir/
pavel@amd:/tmp/my_dir$ ls
pavel@amd:/tmp/my_dir$ > foo
pavel@amd:/tmp/my_dir$ chmod 700 .
pavel@amd:/tmp/my_dir$ su guest
Password:
guest@amd:/tmp/my_dir$ ln foo /tmp/bar
ln: accessing `foo': Permission denied
guest@amd:/tmp/my_dir$

You need x bit on directory to look up foo.

> > Excluding the /proc route, at no point during this sequence, User2 could
> > have opened the file for writing. Therefore, User1 expects (justified,
> > imo) that User2 cannot write to the file. The writability of /proc/$$/fd/4
> > violates this expectation.
> Again, you're not right. See above.

No, he's right, see above.
                                                                        Pavel

-- 
(english) http://www.livejournal.com/~pavelmachek
(cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html