On Tue, Oct 27, 2009 at 12:29:09AM +0300, Dan Yefimov wrote:
> and testing them. Remember the scenario from the original mail and try
> finding a window, during which creating a hardlink would still work thus
> evading directory permissions check.
The main thing this does is allow a hardlink-like attack to work across
mountpoints afaics.
Instead of making hardlink you run something that keeps an fd open to the
file.
That said, I don't see how this is a vuln in /proc. Can you not have your
little program seek back to the beginning and re-read the file in order
to track changes?
You can't actually use /proc/*/fd to gain access to files opened by
processes you do not own. Only ones you do (at least in a mainline kernel)
which is fair enough. This means that you can't have user a open a file
owned by user b and then let user c have access to it via /proc/$pid/fd.
Or am I misreading/misunderstanding something? I've not tested all of the
above (no time). Just going off remembered experience.
--
"A search of his car uncovered pornography, a homemade sex aid, women's
stockings and a Jack Russell terrier."
- http://www.news.com.au/story/0%2C27574%2C24675808-421%2C00.html
