Fun with /proc permissions

[Posted July 7, 2004 by corbet]

Herbert Poetzl discovered some interesting behavior in the 2.6 kernel: it seems that any user can set arbitrary permissions on most files in /proc. A patch had been merged back in the 2.5 days which enabled changing of permissions, but an important check got left out.

For the most part, the security implications of this bug are small, but real. Local users can make files in /proc inaccessible, which can break commands (like ps) which rely on them. Making /proc/sysrq-trigger writable allows some obnoxious mayhem to be created. On the other hand, changing permissions in /proc/sys has no useful effect: the sysctl code performs its own permissions checking on top of what the filesystem does. The actual process entries under /proc do their own checking as well, and do not allow the permissions to be changed.

The fix is simple, and has been merged for 2.6.8. But some developers wondered why anybody would want to mess with permissions in /proc in the first place. It turns out that there is some information there which, in some cases, people would like to hide from other users on the system. Command lines for specific processes and TCP connection tracking information were mentioned as specific examples. So permissions tweaking in /proc will remain - but not just anybody will be able to do it.