Subject: Re: Bugtraq: procfs hole
To: None <rickb@iaw.on.ca>
From: Andrew Brown <codewarrior@daemon.org>
List: tech-security
Date: 08/15/1997 11:20:11
>I supped today, but procfs still apears to be volnerable. I havn't
>looked much at the procfs source yet, but from the comment in the new
>checkioperm(), could the problem be that the exploit doesn't "open the
>memory of a setuid process" so isn't caught by rule 1?. It opens the
>memory of a normal process (the exploit), which then the process exec's to
>a setuid program after the memory is allready open.
am i wrong in my understanding that procfs is simply "a nice feature",
or do there exist programs that actually use it for something?
wouldn't a simpler solution be to basically effect a revoke(2) on the
"file descriptor" or "vnode" associated with the mem pseudo-file on
each process before it does the exec (maybe even only do this if the
exec is calling a suid program)? this could be placed in the exec
subsystem...
not that i'm offering to do this myself any time soon. :) i'm just
thinking out loud...
>I've e-mailed Jason, but he won't be back until Wednesday. So the obvious
>intermediate fix is to take procfs out of your kernel. Obviously,
>removing mount_procfs won't help much.
yes, take it out...leave it out. until it's fixed.
--
|-----< "CODE WARRIOR" >-----|
andrew@echonyc.com (TheMan) * "ah! i see you have the internet
codewarrior@daemon.org that goes *ping*!"
warfare@graffiti.com * "information is power -- share the wealth."