[linuxkernelnewbies] LKML: Pavel Machek: Re: SECURITY PROBLEM: filesystem permiossion bypass on FD already opened

[peter teoh]

http://lkml.org/lkml/2009/10/23/206 Enter your search termsSubmit search formWeblkml.org Date Fri, 23 Oct 2009 22:59:32 +0200 From Pavel Machek <> Subject Re: SECURITY PROBLEM: filesystem permiossion bypass on FD already opened On Fri 2009-10-23 22:00:47, NiTRo wrote: > Hi to all, > Sorry for my bad english. > Just discovered this security problem on my Suse 11 (Linux xxxx > 2.6.25.18-0.2-pae #1 SMP 2008-10-21 16:30:26 +0200 i686 i686 i386 > GNU/Linux) and my Slackware 10.1.0 (Linux xxxx 2.4.29-ow1 #1 Wed Feb 2 > 00:05:42 CET 2005 i586 unknown unknown GNU/Linux) with OpenWall patch. > If a FD is opened on a allowed file and then the permission is changed > the file is still redeable starting from the already read position to > the EOF. There's no reason you could not even seek. And no, it is not a problem, it is just how unix works. Pavel > This is the scenario: > > <root> creates a file /tmp/aaaa with 666 permission an with the "test" > string inside it > xxx:/tmp # echo test > /tmp/aaaa > xxx:/tmp # chmod 666 /tmp/aaaa > <sb> opens this file hooking it in a shell as FD number 3 > s...@xxx:~> bash 3< /tmp/aaaa > <sb> read and prints it > s...@xxx:~> read a <&3 > s...@xxx:~> echo $a > test > s...@xxx:~> > ...anythig as expected... > <root> changes the permissions on file to 600 and changes its content > into "test o.o I cannot believe it..." > xxx:/tmp # chmod 600 /tmp/aaaa > xxx:/tmp # echo "test o.o I cannot believe it..." > /tmp/aaaa > <sb> continue to try reading the file > s...@xxx:~> read a <&3 > s...@xxx:~> echo $a > o.o I cannot believe it... > s...@test:~> > ... and this is not expected... But it should be :-). NiTRo wrote: > Just discovered this security problem [...] >If a FD is opened on a allowed file and then the permission is changed >the file is still redeable starting from the already read position to >the EOF. This is not a security problem; this is Unix working as designed. That's how file descriptors work. File permissions are checked when the file is opened, not on every read/write to the file descriptor. That's a pretty fundamental aspect of how Unix works, and it is well-documented and well-understood. On the other hand, the /proc attack that Pavel explains *is* a security problem. But that's different.