[412] in linux-security and linux-alert archive
Re: Kernel /proc security holes
daemon@ATHENA.MIT.EDU (Marek Michalkiewicz)
Wed Oct 11 14:46:16 1995
From: Marek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl>
To: nickkral@parker.EECS.Berkeley.EDU (Nick Kralevich)
Date: Tue, 10 Oct 1995 19:16:13 +0100 (MET)
Cc: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <Pine.HPP.3.91.951004231251.17607B-100000@parker.EECS.Berkeley.EDU> from "Nick Kralevich" at Oct 4, 95 11:16:16 pm
Nick Kralevich:
> I've heard numerous people mention the security holes in the /proc
> filesystem. From what I have heard, most of the discussion goes on in
> the Linux kernel mailing list. However, I don't subscribe to that list.
>
> Right now I am running 1.2.13. Are there any known security holes in
> that version? If so, how would I go about patching those holes?
Unfortunately, there are still some holes. The owner of /proc files
is changed to root if the process becomes undumpable, but this change
doesn't always take effect immediately. Here is one example (thanks
to Ian Jackson for sending it to me):
$ echo $$
...
$ ls -al /proc/<pid>
$ dd if=/proc/<pid>/mem of=/dev/null
...
$ exec su
Password:
$ ls -al /proc/<pid>
$ dd if=/proc/<pid>/mem of=/dev/null
...
The first "ls" will read the inode information in memory when the process
is still dumpable, the second will use the cached inode information and
files will have the same permissions.
This has been fixed in recent 1.3.x kernels (1.3.30 appears to be safe).
The permissions now change immediately if the process becomes undumpable.
There is still another problem which needs fixing. Open /proc/<pid>/mem
while the process is still dumpable, hold the file descriptor, and then
have the process exec some setuid program. The process is now undumpable
and you can't open /proc/<pid>/mem now, but you can read the previously
opened file descriptor. Fortunately, write is not supported yet...
Marek
