1.2.11, /proc and FIOSETOWN

Marek Michalkiewicz (marekm@i17linuxb.ists.pwr.wroc.pl)
Tue, 27 Jun 1995 15:50:51 +0200 (MET DST)

Hi, 1.2.11 is out and it has the following /proc security patch:

--- v1.2.10/linux/fs/proc/inode.c Sun Feb 12 21:11:02 1995
+++ linux/fs/proc/inode.c Mon Jun 26 16:17:56 1995
@@ -194,8 +194,10 @@
return;
}
ino &= 0x0000ffff;
- inode->i_uid = p->euid;
- inode->i_gid = p->egid;
+ if (p->dumpable && p->uid == p->euid && p->gid == p->egid) {
+ inode->i_uid = p->uid;
+ inode->i_gid = p->gid;
+ }
switch (ino) {
case PROC_PID_INO:
inode->i_nlink = 4;

This prevents exploiting the hole using ftpd (because uid != euid), but
there is still a problem when using shadow passwords - it is more difficult
to exploit, but potentially allows reading part of /etc/shadow. How?

There is a short window of time when login runs at uid == euid of the user
who is logging in, just before the login shell is executed. Similar problem
exists for other programs which switch to the new uid completely. It is
possible to ptrace the process, or read /proc/pid/mem during that time.
Of course the user can't do any damage, but there is no easy way to erase
the part of /etc/shadow left in stdio buffers. That's why I proposed to
clear the dumpable flag whenever the euid or fsuid is changed. But this
is not being done in 1.2.11.

I am not the first one to notice this problem - this is mentioned in the
Samba docs, as a bug that apparently exists only on Linux. The problem
is not only with /proc - it is possible to attach to the process using
a debugger, so "umount /proc" won't help here.

Another problem I reported (even sent a patch) which is still not fixed
is in linux/net/inet/af_inet.c - the permission check to do the FIOSETOWN
ioctl() is missing, allowing anyone to send a SIGURG to any process.
There was similar hole with the F_SETOWN fcntl() which has been fixed
long time ago, but the FIOSETOWN ioctl can do the same thing (set sk->proc
which is the pid to send a SIGURG to when there is some new TCP urgent
data). Or am I wrong? But then the F_SETOWN fcntl check is not necessary
either...

If I am wrong please tell me so, otherwise please fix it. In both cases
I promise to shut up - at least until I find another bug :-). Thanks!

Sorry for bugging you with bug reports, this is only to help make the best
OS even better...

Regards,
Marek
[who is waiting for 1.2.12 :-)]