Some weeks ago I reported a bug that sometimes an entry for a
process remains in the proc filesystem though the process has exited.
In a slightly different way this bug still exists in 2.1.131. This is not
only a bug, it is also a small security hole.
Suppose I run a process with pid=1000. In another process I change cwd to
/proc/1000 or /proc/1000/fd. After process 1000 exits, any other
process (even with other UID) still can access the /proc/1000 dir. As long
as there are any processes with cwd==/proc/1000, this directory does not
disappear.
If one of my processes has its cwd in /proc/1000/fd when process 1000
exits, and I wait for about 32000 forks, then another user will start a
process which gets pid=1000. Now I can list the contents of my cwd
/proc/1000/fd and find how many file descriptors the other user's process
has. Normally I cannot do this.
bye
Egmont Koblinger
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/