Re: question about /proc/<PID>/mem in 2.4 (fwd)

[Solar Designer]

On Sun, Jul 18, 2004 at 01:41:34PM +0100, Tigran Aivazian wrote:
> > | 	setuidapp < /proc/self/mem
[...]
> In the above example there is nothing forbidden and the current state of 
> things doesn't prevent the program from reading it's own address space.
> 
> Thus I see absolutely nothing special about the case:
> 
> # setuidapp < /proc/self/mem
> 
> and this program reading stdin.

The problem is the program does not know its stdin corresponds to a
process' address space and it does not know it is making use of a
privilege to read it.  A correctly written SUID root program may
reasonably assume that the data it obtains from stdin is whatever the
unprivileged user has provided, -- and, for example, display such data
back to the user (as a part of an error message or so).  If we permit
reads from /proc/<pid>/mem based on credentials of the read(2)-calling
process only, this assumption would be violated resulting in security
holes.

Oh, by the way, I've just noticed that the above example is not
entirely correct.  In order to read setuidapp's own address space
(after the kernel has been patched according to your proposal), it
should have been:

$ exec setuidapp < /proc/self/mem

-- 
Alexander Peslyak <solar@xxxxxxxxxxxx>
GPG key ID: B35D3598  fp: 6429 0D7E F130 C13E C929  6447 73C3 A290 B35D 3598
http://www.openwall.com - bringing security into open computing environments
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/