[337] in Best-of-Security
BoS: /dev/full a security hole?
daemon@ATHENA.MIT.EDU (H. Peter Anvin)
Tue Sep 9 04:26:30 1997
From: hpa@transmeta.com (H. Peter Anvin)
Date: 4 Sep 1997 03:49:10 GMT
Reply-To: hpa@transmeta.com (H. Peter Anvin)
Old-X-Originally-To: To: submit-linux-dev-kernel@transmeta.com
Errors-To: best-of-security-request@cyber.com.au
To: best-of-security@cyber.com.au
Resent-From: best-of-security@cyber.com.au
I checked out the behaviour of a read of /dev/full, and found it
rather intriguing. It will return a successful read without modify
the user-space buffer at all. It seems to me to be a wide-open
security hole, as this would permit reading some section of memory out
of a setuid program.
In RedHat 4.1, /dev/full is mode 644, which is strange in itself.
Unless there is some really good use for the current /dev/full
behaviour, I suggest we simply let /dev/full mimic either /dev/null or
/dev/zero on read.
-hpa
--
PGP: 2047/2A960705 BA 03 D3 2C 14 A8 A8 BD 1E DF FE 69 EE 35 BD 74
See http://www.zytor.com/~hpa/ for web page and full PGP public key
Always looking for a few good BOsFH. ** Linux - the OS of global cooperation
I am Baha'i -- ask me about it or see http://www.bahai.org/
