Re: O_NOLINK for open()

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

To: Al Viro <viro@...>

Cc: <linux-kernel@...>

Date: Wednesday, September 12, 2007 - 7:27 pm

On Wed, 12 Sep 2007, Al Viro wrote:

quoted text> On Wed, Sep 12, 2007 at 05:44:30PM -0500, Brent Casavant wrote:
> 
> > P.S. By the way, there doesn't seem to be a way to remove /proc/#/mem
> >      files.  That might be an additional nicety -- programs worried about
> >      being snooped could unlink their own entry.  /dev/mem and /dev/kmem
> >      can simply be removed by the sysadmin of such a system.  If all of
> >      that were done you'd have to resort to attacking crash dumps, core
> >      dumps, or via something like kdb to extract "hidden" data.
> 
> Give me a break.  And learn about ptrace(2).  This "unlinking" bullshit
> buys you zero additional security, both for /proc/*/mem and for /dev/mem
> (see mknod(2)).

Yes, I fully understand that mknod can recreate the nodes -- however
only the superuser can do so, and if the superuser is attacking a
process all bets are off anyway.  OK, so /dev/*mem isn't to worry
about, since it's already owned by root.  Still, /proc/#/mem is owned
by the user, not root, leaving it potentially open to inspection by
third party processes.

I'm thinking out loud.  Sorry to cause any grief.

My (limited) understanding of ptrace is that a parent-child
relationship is needed between the tracing process and the traced
process (at least that's what I gather from the man page).  This
does give cause for concern, and I might have to see what can be
done to alleviate this concern.  I fully realize that making this
design completely unassilable is a fools errand, but closing off
as many attack vectors as possible seems prudent.

-- 
Brent Casavant                          All music is folk music.  I ain't
bcasavan@sgi.com                        never heard a horse sing a song.
Silicon Graphics, Inc.                    -- Louis Armstrong
-
unsubscribe noticeTo unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

O_NOLINK for open(), Brent Casavant, (Wed Sep 12, 4:37 pm)

Re: O_NOLINK for open(), Gabor Gombas, (Thu Sep 13, 6:08 am)

Re: O_NOLINK for open(), Brent Casavant, (Thu Sep 13, 12:05 pm)

Re: O_NOLINK for open(), Andreas Schwab, (Wed Sep 12, 5:42 pm)

Re: O_NOLINK for open(), Brent Casavant, (Wed Sep 12, 6:44 pm)

Re: O_NOLINK for open(), Al Viro, (Wed Sep 12, 6:49 pm)

Re: O_NOLINK for open(), Brent Casavant, (Wed Sep 12, 7:27 pm)

Re: O_NOLINK for open(), Goswin von Brederlow, (Fri Sep 14, 12:37 pm)

Re: O_NOLINK for open(), Brent Casavant, (Wed Sep 12, 7:48 pm)

Re: O_NOLINK for open(), H. Peter Anvin, (Wed Sep 12, 5:07 pm)

Re: O_NOLINK for open(), Brent Casavant, (Wed Sep 12, 5:39 pm)

Re: O_NOLINK for open(), H. Peter Anvin, (Wed Sep 12, 5:46 pm)


linux-kernel:
Andrew Morton	2.6.23-rc3-mm1
Tarkan Erimer	Re: Dual-Licensing Linux Kernel with GPL V2 and GPL V3
Yinghai Lu	Re: [PATCH RFC] x86: check for and defend against BIOS memory corruption
Frederik Deweerdt	[-mm patch] remove tcp header from tcp_v4_check (take #2)
openbsd-misc:

linux-netdev:
David Miller	[GIT]: Networking
Jarek Poplawski	Re: [PATCH] pkt_sched: Destroy gen estimators under rtnl_lock().
Gerrit Renker	[PATCH 27/37] dccp: Integration of dynamic feature activation - part 2 (server side)
Herbert Xu	Re: [PATCH 2/3][NET_BATCH] net core use batching
git:

Re: O_NOLINK for open()

Online users