Hi! When you see snippet from strace, that says: open("/etc/passwd", O_RDONLY) = 3 Do you trust it? You should not. Malicious program could open _any_ file on filesystem with this syscall. Here is example of such malicious program: void main(void) { char *c = 0x94000000; open( "/tmp/delme", O_RDWR ); mmap( c, 4096, PROT_READ | PROT_WRITE, MAP_FIXED | MAP_SHARED, 3, 0); *c = 0; if (fork()) { while(1) { strcpy( c, "/public" ); strcpy( c, "/secret" ); } } else while (1) open( c, 0 ); } Depending on races, /public or /secret is printed with strace. This can be reproduced even on UP and easiest way to do so is to make /public file readable, and then look if you get [pid 224] open("/public", O_RDONLY) = 718 [pid 224] open("/secret", O_RDONLY) = 719 [pid 224] open("/public", O_RDONLY) = 720 snippet like this. It is impossible for kernel to open non-existent file; that means that strace printed something that did not actually happen. Any ideas how to get rid of this problem? It is nasty. It is very nasty and makes strace unusable for anything security-sensitive. Pavel PS: You don't need two processes sharing memory. Memory-mapped file will do the job. This was just illustration. -- I'm pavelat_private "In my country we have almost anarchy and I don't care." Panos Katsaloulis describing me w.r.t. patents me at discussat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:23:32 PDT