How to read the /proc//fd directory of a process, which has a linux capability

capabilitiesnot-root-userpermissionsprocroot

As a non-root user I am running a process. The process binary has been given a cap_sys_resource capability. Even though the process is owned by the same user, that user cannot read its /proc//fd directory. The permissions in /proc/pid look like this:

dr-xr-xr-x.   9 ec2-user ec2-user 0 May 12 01:03 .
dr-xr-xr-x. 249 root     root     0 Apr  3 13:34 ..
dr-xr-xr-x.   2 ec2-user ec2-user 0 May 12 01:03 attr
-rw-r--r--.   1 root     root     0 May 12 01:04 autogroup
-r--------.   1 root     root     0 May 12 01:03 auxv
-r--r--r--.   1 root     root     0 May 12 01:04 cgroup
--w-------.   1 root     root     0 May 12 01:04 clear_refs
-r--r--r--.   1 root     root     0 May 12 01:03 cmdline
-rw-r--r--.   1 root     root     0 May 12 01:04 comm
-rw-r--r--.   1 root     root     0 May 12 01:04 coredump_filter
-r--r--r--.   1 root     root     0 May 12 01:04 cpuset
lrwxrwxrwx.   1 root     root     0 May 12 01:04 cwd
-r--------.   1 root     root     0 May 12 01:04 environ
lrwxrwxrwx.   1 root     root     0 May 12 01:04 exe
dr-x------.   2 root     root     0 May 12 01:03 fd
dr-x------.   2 root     root     0 May 12 01:04 fdinfo
-rw-r--r--.   1 root     root     0 May 12 01:04 gid_map
-r--------.   1 root     root     0 May 12 01:04 io
-r--r--r--.   1 root     root     0 May 12 01:04 limits
-rw-r--r--.   1 root     root     0 May 12 01:04 loginuid
dr-x------.   2 root     root     0 May 12 01:04 map_files
-r--r--r--.   1 root     root     0 May 12 01:04 maps
-rw-------.   1 root     root     0 May 12 01:04 mem
-r--r--r--.   1 root     root     0 May 12 01:04 mountinfo
-r--r--r--.   1 root     root     0 May 12 01:04 mounts
-r--------.   1 root     root     0 May 12 01:04 mountstats
dr-xr-xr-x.   5 ec2-user ec2-user 0 May 12 01:04 net
dr-x--x--x.   2 root     root     0 May 12 01:03 ns
-r--r--r--.   1 root     root     0 May 12 01:04 numa_maps
-rw-r--r--.   1 root     root     0 May 12 01:04 oom_adj
-r--r--r--.   1 root     root     0 May 12 01:04 oom_score
-rw-r--r--.   1 root     root     0 May 12 01:04 oom_score_adj
-r--r--r--.   1 root     root     0 May 12 01:04 pagemap
-r--r--r--.   1 root     root     0 May 12 01:04 personality
-rw-r--r--.   1 root     root     0 May 12 01:04 projid_map
lrwxrwxrwx.   1 root     root     0 May 12 01:04 root
-rw-r--r--.   1 root     root     0 May 12 01:04 sched
-r--r--r--.   1 root     root     0 May 12 01:04 schedstat
-r--r--r--.   1 root     root     0 May 12 01:04 sessionid
-rw-r--r--.   1 root     root     0 May 12 01:04 setgroups
-r--r--r--.   1 root     root     0 May 12 01:04 smaps
-r--r--r--.   1 root     root     0 May 12 01:04 stack
-r--r--r--.   1 root     root     0 May 12 01:03 stat
-r--r--r--.   1 root     root     0 May 12 01:03 statm
-r--r--r--.   1 root     root     0 May 12 01:03 status
-r--r--r--.   1 root     root     0 May 12 01:04 syscall
dr-xr-xr-x.   3 ec2-user ec2-user 0 May 12 01:03 task
-r--r--r--.   1 root     root     0 May 12 01:04 timers
-rw-r--r--.   1 root     root     0 May 12 01:04 uid_map
-r--r--r--.   1 root     root     0 May 12 01:04 wchan

Is there a way to read the /proc//fd directory without using the root user?

Best Answer

Technically there are some ways to allow it. I'm not sure they will be practical or useful in most cases.

You could modify the program you are interested in to call prctl(PR_SET_DUMPABLE, 1, ...). This would be dangerous if the target program is using a capability to access more sensitive information, e.g. password files. This danger cannot apply in your case. Because you are only using the capability CAP_SYS_RESOURCE, which does not allow the program to access any more information than it would otherwise.

Problem 1: We see you are denied access to the directory /proc/[pid]/fd/, because it is only accessible by the owner (r-x------), and the owner is root. This is because:

http://man7.org/linux/man-pages/man5/proc.5.html

The files inside each /proc/[pid] directory are normally owned by the effective user and effective group ID of the process. However, as a security measure, the ownership is made root:root if the process's "dumpable" attribute is set to a value other than 1.

[...]

The process's "dumpable" attribute may change for the following reasons:

The attribute was explicitly set via the prctl(2) PR_SET_DUMPABLE operation.

The attribute was reset to the value in the file /proc/sys/fs/suid_dumpable (described below), for the reasons described in prctl(2).

http://man7.org/linux/man-pages/man2/prctl.2.html

PR_SET_DUMPABLE (since Linux 2.3.20)

Set the state of the "dumpable" flag, which determines whether core dumps are produced for the calling process upon delivery of a signal whose default behavior is to produce a core dump.

[...] (See also the description of /proc/sys/fs/ suid_dumpable in proc(5).)

Normally, this flag is set to 1. However, it is reset to the current value contained in the file /proc/sys/fs/suid_dumpable (which by default has the value 0), in the following circumstances:

The process's effective user or group ID is changed.

The process's filesystem user or group ID is changed (see credentials(7)).

The process executes (execve(2)) a set-user-ID or set- group-ID program, resulting in a change of either the effective user ID or the effective group ID.

The process executes (execve(2)) a program that has file capabilities (see capabilities(7)), but only if the permitted capabilities gained exceed those already permitted for the process.

Problem 2: Simply being able to list /proc/[pid]/fd/ is not very useful on it's own. I expect you at least want to see what the open files refer to.

After the permissions on this directory, and the permissions on the files within it, the proc man page says there is another security check involving this "dumpable" flag:

Permission to dereference or read (readlink(2)) the symbolic links in this directory is governed by a ptrace access mode PTRACE_MODE_READ_FSCREDS check; see ptrace(2).

http://man7.org/linux/man-pages/man2/ptrace.2.html

Deny access if the target process "dumpable" attribute has a value other than 1 (SUID_DUMP_USER; see the discussion of PR_SET_DUMPABLE in prctl(2)), and the caller does not have the CAP_SYS_PTRACE capability in the user namespace of the target process.

So another way to bypass problem 2 is if you had the capability CAP_SYS_PTRACE. Note that CAP_SYS_PTRACE would allow you to control any other process. It's arguable whether this would be any less powerful than actually being the root user.

You would also need to bypass problem 1, the file permissions. This could be done if you had the capability CAP_DAC_READ_SEARCH (or CAP_DAC_OVERRIDE).

`/proc/$pid/maps`

/proc/$pid/mem shows the contents of $pid's memory mapped the same way as in the process, i.e., the byte at offset x in the pseudo-file is the same as the byte at address x in the process. If an address is unmapped in the process, reading from the corresponding offset in the file returns EIO (Input/output error). For example, since the first page in a process is never mapped (so that dereferencing a NULL pointer fails cleanly rather than unintendedly accessing actual memory), reading the first byte of /proc/$pid/mem always yield an I/O error.

The way to find out what parts of the process memory are mapped is to read /proc/$pid/maps. This file contains one line per mapped region, looking like this:

08048000-08054000 r-xp 00000000 08:01 828061     /bin/cat
08c9b000-08cbc000 rw-p 00000000 00:00 0          [heap]

The first two numbers are the boundaries of the region (addresses of the first byte and the byte after last, in hexa). The next column contain the permissions, then there's some information about the file (offset, device, inode and name) if this is a file mapping. See the proc(5) man page or Understanding Linux /proc/id/maps for more information.

Here's a proof-of-concept script that dumps the contents of its own memory.

#! /usr/bin/env python
import re
maps_file = open("/proc/self/maps", 'r')
mem_file = open("/proc/self/mem", 'rb', 0)
output_file = open("self.dump", 'wb')
for line in maps_file.readlines():  # for each mapped region
    m = re.match(r'([0-9A-Fa-f]+)-([0-9A-Fa-f]+) ([-r])', line)
    if m.group(3) == 'r':  # if this is a readable region
        start = int(m.group(1), 16)
        end = int(m.group(2), 16)
        mem_file.seek(start)  # seek to region start
        chunk = mem_file.read(end - start)  # read region contents
        output_file.write(chunk)  # dump contents to standard output
maps_file.close()
mem_file.close()
output_file.close()

`/proc/$pid/mem`

[The following is for historical interest. It does not apply to current kernels.]

Since version 3.3 of the kernel, you can access /proc/$pid/mem normally as long as you access only access it at mapped offsets and you have permission to trace it (same permissions as ptrace for read-only access). But in older kernels, there were some additional complications.

If you try to read from the mem pseudo-file of another process, it doesn't work: you get an ESRCH (No such process) error.

The permissions on /proc/$pid/mem (r--------) are more liberal than what should be the case. For example, you shouldn't be able to read a setuid process's memory. Furthermore, trying to read a process's memory while the process is modifying it could give the reader an inconsistent view of the memory, and worse, there were race conditions that could trace older versions of the Linux kernel (according to this lkml thread, though I don't know the details). So additional checks are needed:

The process that wants to read from /proc/$pid/mem must attach to the process using ptrace with the PTRACE_ATTACH flag. This is what debuggers do when they start debugging a process; it's also what strace does to a process's system calls. Once the reader has finished reading from /proc/$pid/mem, it should detach by calling ptrace with the PTRACE_DETACH flag.
The observed process must not be running. Normally calling ptrace(PTRACE_ATTACH, …) will stop the target process (it sends a STOP signal), but there is a race condition (signal delivery is asynchronous), so the tracer should call wait (as documented in ptrace(2)).

A process running as root can read any process's memory, without needing to call ptrace, but the observed process must be stopped, or the read will still return ESRCH.

In the Linux kernel source, the code providing per-process entries in /proc is in fs/proc/base.c, and the function to read from /proc/$pid/mem is mem_read. The additional check is performed by check_mem_permission.

Here's some sample C code to attach to a process and read a chunk its of mem file (error checking omitted):

sprintf(mem_file_name, "/proc/%d/mem", pid);
mem_fd = open(mem_file_name, O_RDONLY);
ptrace(PTRACE_ATTACH, pid, NULL, NULL);
waitpid(pid, NULL, 0);
lseek(mem_fd, offset, SEEK_SET);
read(mem_fd, buf, _SC_PAGE_SIZE);
ptrace(PTRACE_DETACH, pid, NULL, NULL);

I've already posted a proof-of-concept script for dumping /proc/$pid/mem on another thread.

How to read any process’ /proc/pid/io

Use iotop.

It should be available in your repo for a Redhat/Centos/Fedora machine (if it is not already installed).

It outputs a similar info as top, but instead of the CPU/memory stats, you will get the IO stats (Disk reads, writes and swapin).

The options -p , -u and --only might be of interest to you.

For example, to see the IO activity of the process with ID 5435, use:

iotop -p 5435

From the man page:

   -p PID, --pid=PID
          A list of processes/threads to monitor (all by default).

   -u USER, --user=USER
          A list of users to monitor (all by default)

   -P, --processes
          Only show processes. Normally iotop shows all threads.

Best Answer

Related Solutions

Linux – How to Read from /proc/$pid/mem

/proc/$pid/maps

/proc/$pid/mem

How to read any process’ /proc/pid/io

Related Question

`/proc/$pid/maps`

`/proc/$pid/mem`