Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 6 Jun 2011 22:08:06 +0400
From: Vasiliy Kulikov <segoon@...nwall.com>
To: kernel-hardening@...ts.openwall.com
Subject: Re: [RFC v1] procfs mount options

On Mon, Jun 06, 2011 at 00:10 +0400, Solar Designer wrote:
> > Process A with UID=1000 opens /proc/123/, while 123 has UID=1000.
> > 
> > 123 exec's setuid binary, /proc/123/ becomes unaccessible to A.
> > 
> > However, A still keeps the directory opened and may read its contents.
> 
> Oh, this is a valid concern.  Please research this.  Perhaps there
> should be a may-ptrace check (or maybe more than one).

This is similar to CVE-2011-1020:

https://lkml.org/lkml/2011/2/7/368
http://seclists.org/fulldisclosure/2011/Jan/421

The proposed solution for separate procfs files is implementing
additional runtime checks (besides POSIX perms), however, it probably
doesn't scale for the whole PID directory.

Will try to invent some simple way to deal with it.

-- 
Vasiliy

Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.