H. Peter Anvin wrote:
>Alan Cox wrote:
>> Suppose I give you an O_RDONLY handle to a file which you then
>> flink and gain write access too ?
>
>This, I believe, is the real issue. However, we already have that
>problem:
No, I don't think we already have that problem. I think flink()
would introduce a new security hole not already present.
> rfd = open("testfile", O_RDONLY|O_CREAT, 0666);
> /* Now rfd is a read-only file descriptor */
>
> sprintf(filebuf, "/proc/self/fd/%d", rfd);
> wfd = open(filebuf, O_RDWR);
I don't think this is the same. With /proc/self/fd, I can't escalate
privileges on a read-only fd. You did the wrong test, because the user
already has write access to "testfile". Change the above to make rfd a
read-only file descriptor to a file that I don't have write permission to,
and you'll find that the test all of a sudden fails. (For instance, add
a chmod("testfile", 0444); between the two open()s, and see what happens.)
I think /proc/self/fd is doing the right thing. /proc/self/fd doesn't
seem to be a security hole, unless I'm missing something. I think flink()
would be a security risk, though. Or did I overlook something?
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Mon Apr 07 2003 - 22:00:29 EST