Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.os.linux.development.system > #471

Re: "Permission denied" while reading file /proc/<pid>/maps with permissions '-r--r--r--'

From pacman@kosh.dhis.org (Alan Curry)
Newsgroups comp.os.linux.development.system
Subject Re: "Permission denied" while reading file /proc/<pid>/maps with permissions '-r--r--r--'
Date 2012-10-02 21:44 +0000
Organization Aioe.org NNTP Server
Message-ID <k4fn7s$5cf$1@speranza.aioe.org> (permalink)
References <20de89c1-dcb3-42b2-b281-d22af2035db5@googlegroups.com> <87ehlh9d99.fsf@araminta.anjou.terraraq.org.uk> <c8cf57cb-5078-4996-9cea-c36d36c98348@googlegroups.com> <874nmcy9nl.fsf@araminta.anjou.terraraq.org.uk>

Show all headers | View raw

In article <874nmcy9nl.fsf@araminta.anjou.terraraq.org.uk>,
Richard Kettlewell  <rjk@greenend.org.uk> wrote:
>Alex Vinokur <alex.vinokur@gmail.com> writes:
>> Richard Kettlewell wrote:
>
>>> Because there's an extra check built into the kernel to stop you reading
>>> that file without a matching UID or the ptrace capability.
>>
>> Thanks,
>>
>> But the file has -r--r--r-- permissions.
>> So, any process with any effective user may read such a file. 
>
>The permissions aren't the whole story, as stated above.

The permissions accurately describe who may open the file.

$ strace cat /proc/1/maps
[...]
open("/proc/1/maps", O_RDONLY)          = 3
fstat(3, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
read(3, 0x212c000, 32768)               = -1 EACCES (Permission denied)
[...]

With a regular, non-procfs-magic file, if you don't have read permission, the
open will fail. With some of the files in /proc, the open is allowed but the
read fails.

The difference is irrelevant for the simple case of cat where opening,
reading, and closing and/or exiting are done in quick succession. But the
normal permissions rule (check permission on open, not on read) adds some
flexibility: you can open a file for reading and pass the file descriptor to
another process, and then the other process can read it regardless of whether
it would have been able to do the open itself.

Or a file can be opened, then the process can use setuid() to drop the
privileges it needed for the open, and keep it open for later reading.
Somewhere in the middle there may be a fork() and execve() too; as long as
the fd stays alive, the file can still be read.

Someone must have decided that the normal unix permissions check-on-open
was insufficient for /proc (general paranoia, or because there was a
demonstrated attack method involving a read from an inherited file
descriptor). So it does check-on-read.

I can't explain why they didn't also change the permissions to 400 though. It
doesn't seem useful to allow an open if all uses of the fd are going to fail,
and it doesn't seem likely that you'd ever want to open a file, then *gain*
the necessary privileges, then read it. Why not do your privilege-gaining
operation first?

-- 
Alan Curry

Back to comp.os.linux.development.system | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

"Permission denied" while reading file /proc/<pid>/maps with permissions '-r--r--r--' Alex Vinokur <alex.vinokur@gmail.com> - 2012-10-02 07:05 -0700
  Re: "Permission denied" while reading file /proc/<pid>/maps with permissions '-r--r--r--' Richard Kettlewell <rjk@greenend.org.uk> - 2012-10-02 15:09 +0100
    Re: "Permission denied" while reading file /proc/<pid>/maps with permissions '-r--r--r--' Alex Vinokur <alex.vinokur@gmail.com> - 2012-10-02 07:20 -0700
      Re: "Permission denied" while reading file /proc/<pid>/maps with permissions '-r--r--r--' Tauno Voipio <tauno.voipio@notused.fi.invalid> - 2012-10-02 20:14 +0300
        Re: "Permission denied" while reading file /proc/<pid>/maps with permissions '-r--r--r--' Alex Vinokur <alex.vinokur@gmail.com> - 2012-10-02 10:46 -0700
          Re: "Permission denied" while reading file /proc/<pid>/maps with   permissions '-r--r--r--' Josef Moellers <josef.moellers@invalid.invalid> - 2012-10-03 12:39 +0200
            Re: "Permission denied" while reading file /proc/<pid>/maps with permissions '-r--r--r--' Phil Carmody <thefatphil_demunged@yahoo.co.uk> - 2012-10-11 01:53 +0300
            Re: "Permission denied" while reading file /proc/<pid>/maps with permissions '-r--r--r--' Phil Carmody <thefatphil_demunged@yahoo.co.uk> - 2012-10-11 01:58 +0300
      Re: "Permission denied" while reading file /proc/<pid>/maps with permissions '-r--r--r--' Richard Kettlewell <rjk@greenend.org.uk> - 2012-10-02 20:08 +0100
        Re: "Permission denied" while reading file /proc/<pid>/maps with permissions '-r--r--r--' pacman@kosh.dhis.org (Alan Curry) - 2012-10-02 21:44 +0000
          Re: "Permission denied" while reading file /proc/<pid>/maps with permissions '-r--r--r--' Alex Vinokur <alex.vinokur@gmail.com> - 2012-10-02 23:16 -0700
          Re: "Permission denied" while reading file /proc/<pid>/maps with permissions '-r--r--r--' Richard Kettlewell <rjk@greenend.org.uk> - 2012-10-03 09:35 +0100
  Re: "Permission denied" while reading file /proc/<pid>/maps with permissions '-r--r--r--' a.c.kalker@gmail.com - 2013-07-14 06:08 -0700
    Re: "Permission denied" while reading file /proc/<pid>/maps with permissions '-r--r--r--' Jorgen Grahn <grahn+nntp@snipabacken.se> - 2013-07-14 17:08 +0000
    Re: "Permission denied" while reading file /proc/<pid>/maps with permissions '-r--r--r--' crankypuss <crankypuss@nomail.invalid> - 2013-07-15 02:41 -0600
      Re: "Permission denied" while reading file /proc/<pid>/maps with permissions '-r--r--r--' Jorgen Grahn <grahn+nntp@snipabacken.se> - 2013-07-15 10:06 +0000
    Re: "Permission denied" while reading file /proc/<pid>/maps with permissions '-r--r--r--' Richard Kettlewell <rjk@greenend.org.uk> - 2013-07-15 10:05 +0100
      Re: "Permission denied" while reading file /proc/<pid>/maps with permissions '-r--r--r--' crankypuss <crankypuss@nomail.invalid> - 2013-07-15 03:51 -0600
        Re: "Permission denied" while reading file /proc/<pid>/maps with permissions '-r--r--r--' Richard Kettlewell <rjk@greenend.org.uk> - 2013-07-15 11:32 +0100
          Re: "Permission denied" while reading file /proc/<pid>/maps with permissions '-r--r--r--' crankypuss <crankypuss@nomail.invalid> - 2013-07-16 03:50 -0600
            Re: "Permission denied" while reading file /proc/<pid>/maps with permissions '-r--r--r--' Richard Kettlewell <rjk@greenend.org.uk> - 2013-07-16 11:29 +0100
              Re: "Permission denied" while reading file /proc/<pid>/maps with permissions '-r--r--r--' crankypuss <crankypuss@nomail.invalid> - 2013-07-16 04:53 -0600
                Re: "Permission denied" while reading file /proc/<pid>/maps with permissions '-r--r--r--' Rainer Weikusat <rweikusat@mssgmbh.com> - 2013-07-16 13:06 +0100
                Re: "Permission denied" while reading file /proc/<pid>/maps with permissions '-r--r--r--' crankypuss <crankypuss@nomail.invalid> - 2013-07-17 01:52 -0600
            Re: "Permission denied" while reading file /proc/<pid>/maps with permissions '-r--r--r--' Jorgen Grahn <grahn+nntp@snipabacken.se> - 2013-07-16 19:04 +0000
              Re: "Permission denied" while reading file /proc/<pid>/maps with permissions '-r--r--r--' crankypuss <crankypuss@nomail.invalid> - 2013-07-17 02:21 -0600

csiph-web