[548] in linux-security and linux-alert archive
Re: /proc insecurity
daemon@ATHENA.MIT.EDU (Theodore Ts'o)
Thu Jan 4 05:09:52 1996
Date: Wed, 3 Jan 1996 20:58:56 -0500
From: "Theodore Ts'o" <tytso@MIT.EDU>
To: Marek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl>
Cc: linux-kernel@vger.rutgers.edu, linux-security@tarsier.cv.nrao.edu
In-Reply-To: Marek Michalkiewicz's message of Wed, 3 Jan 1996 21:33:34 +0100 (MET),
<199601032033.VAA13830@i17linuxb.ists.pwr.wroc.pl>
From: Marek Michalkiewicz <marekm@i17linuxb.ists.pwr.wroc.pl>
Date: Wed, 3 Jan 1996 21:33:34 +0100 (MET)
How about this: for every process track the /proc/<pid>/mem open count
(add a new field to struct task_struct). You can do that using the
open/release operations, initialize it to zero for the initial task,
and set it to zero for a newly created child process in fork().
Now, if this count is nonzero for the current process, and we try to
exec a setuid program, behave as if the process was ptraced: execute
it but ignore the setuid and setgid bits.
I really prefer the idea of invalidating open file descriptors to
/proc/<pid>/mem over this idea, since making the setuid fail is much
more surprising than simply invalidating the fd's to /proc/<pid>/mem.
Invalidating the fd's isn't all that hard. Look at how tty_hangup() in
drivers/char/tty_io.c for a model for how to do things. Basically, you
just replace the operations structure with one where the read and write
calls return EOF or an error.
- Ted
