Re: [SECURITY] /proc/$pid/ leaks contents across setuid exec

From: James Morris
Date: Mon Feb 07 2011 - 22:43:27 EST

Next message: Stephen Rothwell: "linux-next: build failure after merge of the drivers-x86 tree"
Previous message: Harry Wei: "[PATCH]Maintain Chinese Documentations"
In reply to: Kees Cook: "Re: [SECURITY] /proc/$pid/ leaks contents across setuid exec"
Next in thread: Kees Cook: "Re: [SECURITY] /proc/$pid/ leaks contents across setuid exec"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 7 Feb 2011, Kees Cook wrote:

> Sure, I know about O_CLOEXEC, but this is about protecting the
> just-been-execed setuid process from the attacking process that has no
> reason to set O_CLOEXEC.
>
> Something like this needs to be enforced on the kernel side. I.e. these
> file in /proc need to have O_CLOEXEC set in a way that cannot be unset.
>
> > Changing the behavior in the core kernel will break userspace.
>
> I don't think /proc/$pid/* needs to stay open across execs, does it? Or at
> least the non-0444 files should be handled separately.

Actually, this seems like a more general kind of bug in proc rather than a
leaked fd. Each child task should only see its own /proc/[pid] data.

- James
--
James Morris
<jmorris@xxxxxxxxx>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Stephen Rothwell: "linux-next: build failure after merge of the drivers-x86 tree"
Previous message: Harry Wei: "[PATCH]Maintain Chinese Documentations"
In reply to: Kees Cook: "Re: [SECURITY] /proc/$pid/ leaks contents across setuid exec"
Next in thread: Kees Cook: "Re: [SECURITY] /proc/$pid/ leaks contents across setuid exec"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]