On Wed, Sep 14, 2011 at 20:00 +0400, Cyrill Gorcunov wrote:
> On Wed, Sep 14, 2011 at 06:48:41PM +0400, Vasiliy Kulikov wrote:
> ...
> >
> > Actually now I see the difference between having something mapped and
> > having an _fd_ of this something.
> >
> > Relevant code:
> >
> > +static struct dentry *
> > +proc_map_files_instantiate(struct inode *dir, struct dentry *dentry,
> > + struct task_struct *task, const void *ptr)
> > +{
> > ...
> > + inode->i_mode = S_IFLNK;
> > +
> > + if (file->f_mode & FMODE_READ)
> > + inode->i_mode |= S_IRUSR | S_IXUSR;
> > + if (file->f_mode & FMODE_WRITE)
> > + inode->i_mode |= S_IWUSR | S_IXUSR;
> >
> >
> > If you have a write mmap area, but no fd, you may not trunc a file; with
> > map_files/ you may get an fd and ftrunc it.
> >
>
> This stands for anonymous memory, and if you have enough rights to
> access the task this ftruncate is the last problem (since having ptrace
> access to the task I _aready_ can trash various stuff inside, i dont need
> even bother to look into map_files/ or whatever). So I don't see how
> ftruncate migh harm you here?
No, I mean something else. Assume you have a task, which does the
steps:
1) opens some sensitive file as root. This file is e.g. 0700.
2) mmaps the file via opened fd, either RO or RW.
3) closes fd.
4) drops root.
Now it has a mapping of a privileged file, but cannot get fd of it
anyhow. With map_files/ he may open his own /proc/$$/map_files/, pass
ptrace() check, and get fd of the privileged file. He cannot explicitly
open it as it is 0700, but he may open it via map_files/ and get RO/RW
fd.
--
Vasiliy Kulikov
http://www.openwall.com - bringing security into open computing environments
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
