bug: stdio pipe is root owned so reopening it fails

Szabolcs Nagy nsz at port70.net
Sat May 2 02:59:03 AWST 2020 

* Jamie Lokier <jamie at jlokier.co.uk> [2020-05-01 17:10:24 +0100]:
> Hi Matt,
> 
> > Not really sure of a good workaround.
> 
> You can fchmod() or fchown() the pipe descriptor, with fchown() being more secure.
> 
>     # echo hello | (ls -lL /proc/self/fd/0; sudo -u nobody cat /proc/self/fd/0)
>     prw------- 1 root root 0 May  1 17:06 /proc/self/fd/0
>     cat: /proc/self/fd/0: Permission denied
> 
>     # echo hello | (chmod a+rw /proc/self/fd/0; ls -lL /proc/self/fd/0; sudo -u nobody cat /proc/self/fd/0)
>     prw-rw-rw- 1 root root 0 May  1 17:05 /proc/self/fd/0
>     hello
> 
>     # echo hello | (chown nobody: /proc/self/fd/0; ls -lL /proc/self/fd/0; sudo -u nobody cat /proc/self/fd/0)
>     prw------- 1 nobody nogroup 0 May  1 17:06 /proc/self/fd/0
>     hello
> 
> Best wishes,
> - Jamie
> 
> Matt Johnston wrote:
> > Hi Szabolcs,
> > 
> > Ah, that's a bit nasty. I guess the difference is that OpenSSH runs the daemon
> > as the user, while Dropbear runs as root.

isn't it better security design to drop privs
as soon as possible so everything in the
process that's managing a user's session runs
as that user and not as root?

but i guess that requires more changes than
fchown on 0/1/2 fds.

i can rebuild dropbear so if the fchwon is
a simple patch that works for me.

thanks.

> > 
> > The procfs manpage mentions the problem. [1]http://man7.org/linux/man-pages/
> > man5/proc.5.html
> > 
> >               Note that for file descriptors referring to inodes (pipes and
> >               sockets, see above), those inodes still have permission bits
> >               and ownership information distinct from those of the
> >               /proc/[pid]/fd entry, and that the owner may differ from the
> >               user and group IDs of the process.  An unprivileged process
> >               may lack permissions to open them, as in this example:
> > 
> >                   $ echo test | sudo -u nobody cat
> >                   test
> >                   $ echo test | sudo -u nobody cat /proc/self/fd/0
> >                   cat: /proc/self/fd/0: Permission denied
> > 
> > Not really sure of a good workaround.

More information about the Dropbear mailing list