Re: /proc filesystem allows bypassing directory permissions on Linux

[Dan Yefimov <dan@xxxxxxxxxxxxxxxx>]

On 29.10.2009 0:27, Pavel Machek wrote:
> > > That race is easily fixed.
> >
> > No, you're not right.
> >
> > > After chmodding the directory to 0700, *first*
> > > check the link count, *then* chmod the file to 0666:
> > >
> > >      User1 creates file with permissions 0644
> > >                      User2 opens file for read access on file descriptor 4
> > >      User1 chmod's directory to 0700
> > >      User1 verifies no hard links to file
> >
> > Here's a window, during which User2 is able to create a hardlink and
> > that will remain unnoticed by User1. There's no way to perform link
> > check and conditionally do chmod in an atomic manner.
>
> 0700 on directory prevents hardlink creation, see?
Do you still remember about openat()? If the directory was created with 0700 
mode from the origin, you would be right, and procfs wouldn't allow opening 
files in that directory too, but if you let others to traverse that directory 
and open your believed to be secure files from the origin, it's your fault.
--

Sincerely Your, Dan.