/proc and directory permissions
Posted Oct 29, 2009 4:41 UTC (Thu) by jimparis
In reply to: /proc and directory permissions
Parent article: /proc and directory permissions
It's not as bad as you thought -- setting up the right situation is tricky.
Consider something like this setup:
$ sudo ls -al /dir
drwx------ 2 root root 4096 2009-10-29 00:28 .
drwxr-xr-x 27 root root 4096 2009-10-29 00:28 ..
-rw-rw-rw- 1 root root 6 2009-10-29 00:28 file.txt
Now as an unprivileged user, you can't read or write the file, even though it's mode 0666, because the directory is mode 0700:
$ echo hi > /dir/file.txt
bash: /dir/file.txt: Permission denied
Now here's the trick. Assume that you somehow
have an open read-only file descriptor that refers to this file. In the bugtraq conversations, this was achieved by opening the file while the administrator was messing with permissions. But there are other cases — for example, a system daemon might have opened the file read-only and passed you the file descriptor over Unix sockets. Or you inherited a read-only file descriptor when your process was started.
Now, once you have this open fd, you can re-open it as read-write using the link in /proc/$YOUR_OWN_PID/fd/
— which is allowed because the file is mode 0666, even though the directory typically wouldn't allow you to do that.
A source of contention is whether this is unexpected. It's certainly not completely obvious.
to post comments)