bug: stdio pipe is root owned so reopening it fails
Jamie Lokier
jamie at shareable.org
Sat May 2 00:14:39 AWST 2020
Hi Matt,
Matt Johnston wrote:
> Not really sure of a good workaround.
You can fchmod() or fchown() the pipe descriptor, with fchown() being more secure.
# echo hello | (ls -lL /proc/self/fd/0; sudo -u nobody cat /proc/self/fd/0)
prw------- 1 root root 0 May 1 17:06 /proc/self/fd/0
cat: /proc/self/fd/0: Permission denied
# echo hello | (chmod a+rw /proc/self/fd/0; ls -lL /proc/self/fd/0; sudo -u nobody cat /proc/self/fd/0)
prw-rw-rw- 1 root root 0 May 1 17:05 /proc/self/fd/0
hello
# echo hello | (chown nobody: /proc/self/fd/0; ls -lL /proc/self/fd/0; sudo -u nobody cat /proc/self/fd/0)
prw------- 1 nobody nogroup 0 May 1 17:06 /proc/self/fd/0
hello
Best,
- Jamie
Matt Johnston wrote:
> Hi Szabolcs,
>
> Ah, that's a bit nasty. I guess the difference is that OpenSSH runs the daemon
> as the user, while Dropbear runs as root.
>
> The procfs manpage mentions the problem. [1]http://man7.org/linux/man-pages/
> man5/proc.5.html
>
> Note that for file descriptors referring to inodes (pipes and
> sockets, see above), those inodes still have permission bits
> and ownership information distinct from those of the
> /proc/[pid]/fd entry, and that the owner may differ from the
> user and group IDs of the process. An unprivileged process
> may lack permissions to open them, as in this example:
>
> $ echo test | sudo -u nobody cat
> test
> $ echo test | sudo -u nobody cat /proc/self/fd/0
> cat: /proc/self/fd/0: Permission denied
>
> Not really sure of a good workaround.
More information about the Dropbear
mailing list