sticky bits in /proc etc
Valdis Kl=?utf-8?Q?=c4=93?=tnieks
valdis.kletnieks at vt.edu
Wed Jun 10 23:37:32 EDT 2020
On Wed, 10 Jun 2020 08:24:17 -0600, jim.cromie at gmail.com said:
> Id like to ask about a possible new use for file and directory sticky bits,
> or setuid bits, to address the root-only use of /proc (etc) files
The sticky bit and setuid/gid bits already have meanings for directories,
and changing the semantics will break existing code.
> this needs root
>
> echo module kvm +p > /proc/dynamic_debug/control
>
> how about this ?
>
> cat root-owned-readonly-file > /proc/dynamic_debug/control
Nope, doesn't work that way, because the file in /proc has no way to tell that
it's cat doing it from a root-owned file, versus cat doing it from a
hacker-owned file. As far as the /proc file is concerned, the "echo" and "cat"
commands are identical.
If you have an actual need for non-root users to do this, there's always the
fact that 'sudo' can be restricted to specific commands for the user, and/or
the use of set-UID helper programs that validate the request and then issue it
on the user's behalf.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
URL: <http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20200610/afe7611c/attachment.sig>
More information about the Kernelnewbies
mailing list