Mr Process's wild ride
source link: http://joeyh.name/blog/entry/process_wild_ride/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
When a unix process is running in a directory, and that directory gets renamed, the process is taken on a ride to a new location in the filesystem. Suddenly, any "../" paths it might be using point to new, and unexpected locations.
This can be a source of interesting behavior, and also of security holes.
Suppose root is poking around in ~user/foo/bar/ and decides to
vim ../../etc/conffile
If the user notices this process is running, they can mv ~/foo/bar /tmp
and when vim saves the file, it will write to /tmp/bar/../../etc/conffile
AKA /etc/conffile.
(Vim does warn that the file has changed while it was being edited. Other editors may not. Or root may be feeling especially BoFH and decide to overwrite the user's changes to their file. Or the rename could perhaps be carefully timed to avoid vim's overwrite protection.)
Or, suppose root, in the same place, decides to archive ../../etc with tar,
and then delete it:
tar cf etc.tar ../../etc; rm -rf ../../etc
Now the user has some time to take root's shell on a ride, before the
rm starts ... and make it delete all of /etc!
Anyone know if this class of security hole has a name?
it might be a variation of TOCTOU
I think what you found might be a variation of TOCTOU - time of creation, time of access.
For example (although slightly different, but it's the same underlying idea):
https://duo.com/decipher/docker-bug-allows-root-access-to-host-file-system
Comment by
— 4 months and 3 days ago
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK