1
linux/fs/proc
Eric W. Biederman 778c114477 [PATCH] proc: Use sane permission checks on the /proc/<pid>/fd/ symlinks
Since 2.2 we have been doing a chroot check to see if it is appropriate to
return a read or follow one of these magic symlinks.  The chroot check was
asking a question about the visibility of files to the calling process and
it was actually checking the destination process, and not the files
themselves.  That test was clearly bogus.

In my first pass through I simply fixed the test to check the visibility of
the files themselves.  That naive approach to fixing the permissions was
too strict and resulted in cases where a task could not even see all of
it's file descriptors.

What has disturbed me about relaxing this check is that file descriptors
are per-process private things, and they are occasionaly used a user space
capability tokens.  Looking a little farther into the symlink path on /proc
I did find userid checks and a check for capability (CAP_DAC_OVERRIDE) so
there were permissions checking this.

But I was still concerned about privacy.  Besides /proc there is only one
other way to find out this kind of information, and that is ptrace.  ptrace
has been around for a long time and it has a well established security
model.

So after thinking about it I finally realized that the permission checks
that make sense are the permission checks applied to ptrace_attach.  The
checks are simple per process, and won't cause nasty surprises for people
coming from less capable unices.

Unfortunately there is one case that the current ptrace_attach test does
not cover: Zombies and kernel threads.  Single stepping those kinds of
processes is impossible.  Being able to see which file descriptors are open
on these tasks is important to lsof, fuser and friends.  So for these
special processes I made the rule you can't find out unless you have
CAP_SYS_PTRACE.

These proc permission checks should now conform to the principle of least
surprise.  As well as using much less code to implement :)

Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-06-26 09:58:26 -07:00
..
array.c [PATCH] hrtimers: remove it_real_value calculation from proc/*/stat 2006-03-26 08:57:02 -08:00
base.c [PATCH] proc: Use sane permission checks on the /proc/<pid>/fd/ symlinks 2006-06-26 09:58:26 -07:00
generic.c [PATCH] mark f_ops const in the inode 2006-03-28 09:16:05 -08:00
inode-alloc.txt Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
inode.c [PATCH] proc: Use struct pid not struct task_ref 2006-06-26 09:58:26 -07:00
internal.h [PATCH] proc: Use struct pid not struct task_ref 2006-06-26 09:58:26 -07:00
kcore.c [PATCH] Make most file operations structs in fs/ const 2006-03-28 09:16:06 -08:00
kmsg.c [PATCH] Make most file operations structs in fs/ const 2006-03-28 09:16:06 -08:00
Makefile [PATCH] kdump: Access dump file in elf format (/proc/vmcore) 2005-06-25 16:24:53 -07:00
mmu.c [PATCH] fix impossible VmallocChunk 2005-05-17 07:59:10 -07:00
nommu.c [PATCH] output of /proc/maps on nommu systems is incomplete 2005-10-17 17:03:57 -07:00
proc_devtree.c [PATCH] powerpc: Cope with duplicate node & property names in /proc/device-tree 2006-03-28 16:45:23 +11:00
proc_misc.c [PATCH] Simplify proc/devices and fix early termination regression 2006-03-31 12:18:53 -08:00
proc_tty.c Linux-2.6.12-rc2 2005-04-16 15:20:36 -07:00
root.c [PATCH] VFS: Permit filesystem to override root dentry on mount 2006-06-23 07:42:45 -07:00
task_mmu.c [PATCH] proc: Use struct pid not struct task_ref 2006-06-26 09:58:26 -07:00
task_nommu.c [PATCH] proc: Move proc_maps_operations into task_mmu.c 2006-06-26 09:58:24 -07:00
vmcore.c [PATCH] kdump proc vmcore size oveflow fix 2006-04-11 06:18:42 -07:00