On Sun, Oct 25, 2009 at 10:36:04AM +0100, Pavel Machek wrote: > On Mon 2009-10-26 13:57:49, Trond Myklebust wrote: > > On Mon, 2009-10-26 at 18:46 +0100, Jan Kara wrote: > > > That's what I'd think as well but it does not as I've just learned and > > > tested :) proc_pid_follow_link actually directly gives a dentry of the > > > target file without checking permissions on the way. > > It is weider. That symlink even has permissions. Those are not > checked, either. > > > I seem to remember that is deliberate, the point being that a symlink > > in /proc/*/fd/ may contain a path that refers to a private namespace. > > Well, it is unexpected and mild security hole. > > Part of the problem is that even if you have read-only > filedescriptor, you can upgrade it to read-write, even if path is > inaccessible to you. > > So if someone passes you read-only filedescriptor, you can still write > to it. By the way, nfs-exporting a filesystem also allows bypassing lookup permissions: anyone on the network can access an inode directly (using an nfs filehandle) without necessarily traversing any path to that inode. (Assuming they can guess the filehandle--probably doable in most cases.) Not arguing for or against, just another data point. --b. -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html