Re: /proc/<pid>/mem unreadable (was strace and linux 1.3.97)

Kevin M Bealer (
Sat, 4 May 1996 02:41:39 -0400 (EDT)

On Thu, 2 May 1996, Aaron Ucko wrote:

> >>>>>> "?????" == unknown author writes:
> >>>>>> "Aaron" == Aaron Ucko <> writes:
> >>>>>> "Kevin" == Kevin M Bealer <> writes:
> >
> >
> >?????> The same happened to me. The problem is that strace accesses
> >?????> the tracee's memory through /proc/<pid>/mem but as of 1.3.96
> >?????> any read from processes different from the one which owns the
> >?????> memory fail with EACCES.
> >
> >Aaron> This looks like an overly-conservative patch for the
> >Aaron> /proc/<pid>/mem security hole involving setuid programs. The
> >Aaron> kernel should really return EACCESS only if the process we are
> >Aaron> trying to read is setuid.
> >
> >Kevin> From what I caught of the discussion, you can start watching
> >Kevin> the process's memory, then have the process 'exec' something
> >Kevin> suid root, and read straight through the suid root memory.
> >
> >Seems to me that the answer, then, is to have /prov/<pid>/mem mod 600
> >and owned by the euid of the process, rather than owned by the uid
> >that ran it. Linus?
> Whoops, I misspoke. It's already 600 and owned by the euid; the hole
> involves opening the fd before the exec and holding on to it while it
> changes modes. At that point, the fd needs to be somehow invalidated
> for non-root processes.

Or, alternately, the exec could fail if the /proc file is open... which ever
is easier to code? Is there any way to bring down a critical daemon this
way? (if an fd is invalid, might the process reading it core dump? if so,
does this dump potentially hold suid memory? (I think I'm out of my league
here (which is little league:)))

> -- Aaron Ucko (; finger for PGP public key) | httyp!
> "That's right," he said. "We're philosophers. We think, therefore we am."
> -- Terry Pratchett, _Small Gods_ | Geek Code 3.1 [for explanation, finger
>]: GCS/M/S/C d- s: a18 C++(+++)>++++ UL++>++++ P++
> L++>+++++ E- W(-) N++(+) o+ K- w--- O M@ V-(--) PS++(+++) PE- Y(+) PGP(+) t(+)
> !5 X-- R(-) tv-@ b++(+++) DI+ !D-- G++(+++) e->+++++(*) h!>+ r-(--)>+++ y?

You have new mail in /dev/null