sticky bits in /proc etc

jim.cromie at gmail.com jim.cromie at gmail.com
Thu Jun 11 11:07:56 EDT 2020


On Wed, Jun 10, 2020 at 9:37 PM Valdis Klētnieks
<valdis.kletnieks at vt.edu> wrote:
>
> On Wed, 10 Jun 2020 08:24:17 -0600, jim.cromie at gmail.com said:
> > Id like to ask about a possible new use for file and directory sticky bits,
> > or setuid bits, to address the root-only use of /proc (etc) files
>
> The sticky bit and setuid/gid bits already have meanings for directories,
> and changing the semantics will break existing code.
>

ok, Id more or less expected this.
the only escape might have been that those meanings pertain to a "real" FS,
and might be irrelevant to a synthetic/virtual fs like /proc or /sys

> > this needs root
> >
> >   echo module kvm +p > /proc/dynamic_debug/control
> >
> > how about this ?
> >
> > cat root-owned-readonly-file  > /proc/dynamic_debug/control
>
> Nope, doesn't work that way, because the file in /proc has no way to tell that
> it's cat doing it from a root-owned file, versus cat doing it from a
> hacker-owned file. As far as the /proc file is concerned, the "echo" and "cat"
> commands are identical.
>
> If you have an actual need for non-root users to do this, there's always the
> fact that 'sudo' can be restricted to specific commands for the user, and/or
> the use of set-UID helper programs that validate the request and then issue it
> on the user's behalf.
>

I have no actual need, more just wondering aloud.

thanks
Jim



More information about the Kernelnewbies mailing list