bug: stdio pipe is root owned so reopening it fails

Jamie Lokier jamie at shareable.org
Sat May 2 00:14:39 AWST 2020


Hi Matt,

Matt Johnston wrote:
> Not really sure of a good workaround.

You can fchmod() or fchown() the pipe descriptor, with fchown() being more secure.

    # echo hello | (ls -lL /proc/self/fd/0; sudo -u nobody cat /proc/self/fd/0)
    prw------- 1 root root 0 May  1 17:06 /proc/self/fd/0
    cat: /proc/self/fd/0: Permission denied

    # echo hello | (chmod a+rw /proc/self/fd/0; ls -lL /proc/self/fd/0; sudo -u nobody cat /proc/self/fd/0)
    prw-rw-rw- 1 root root 0 May  1 17:05 /proc/self/fd/0
    hello

    # echo hello | (chown nobody: /proc/self/fd/0; ls -lL /proc/self/fd/0; sudo -u nobody cat /proc/self/fd/0)
    prw------- 1 nobody nogroup 0 May  1 17:06 /proc/self/fd/0
    hello

Best,
- Jamie


Matt Johnston wrote:
> Hi Szabolcs,
>
> Ah, that's a bit nasty. I guess the difference is that OpenSSH runs the daemon
> as the user, while Dropbear runs as root.
>
> The procfs manpage mentions the problem. [1]http://man7.org/linux/man-pages/
> man5/proc.5.html
>
>               Note that for file descriptors referring to inodes (pipes and
>               sockets, see above), those inodes still have permission bits
>               and ownership information distinct from those of the
>               /proc/[pid]/fd entry, and that the owner may differ from the
>               user and group IDs of the process.  An unprivileged process
>               may lack permissions to open them, as in this example:
>
>                   $ echo test | sudo -u nobody cat
>                   test
>                   $ echo test | sudo -u nobody cat /proc/self/fd/0
>                   cat: /proc/self/fd/0: Permission denied
>
> Not really sure of a good workaround.



More information about the Dropbear mailing list