Linux – files in /proc/$PID (e.g. ssh-agent, Chrome) are not owned by user but by root

linuxlinux-kernelpermissionsprocSecurity

I am just answering another question here 🙂 and thus had a look – wanted to have a look at /proc/$PID/fd of ssh-agent in order to find out which socket it uses. But I can't. I am quite surprised to notice that most files and directories belong to root. ssh-agent runs as my user (so does its parent process) and is not installed SUID root. I wasn't able to find out where exactly KDE starts it. I am curious; can someone tell my what's happening here?

Or is this not about the user at all, can processes use some kernel magic in order to hide (most of) their /proc info from the public (and even other processes of the same user)?

I just checked the /proc/$PID/fd of all my processes and noticed that ssh-agent is not the only process with this strange attribute. The others are the bunch of Chrome processes and kdesud (no SUID root binary either).

Best Answer

[The following is adapted from text I'm just in the process of adding to the proc(5) manual page, which answers this question.]

The files under /proc/PID are normally owned by the effective user and effective group ID of the process. However, as a security measure, the ownership is made root:root if the process's "dumpable" attribute is set to a value other than 1. [The default value of this attribute is 1. Setting this attribute to 0 causes a process not to produce core dumps, since they may contain sensitive information. Likewise, certain files in /proc/PID can provide access to sensitive information.]

This attribute may change for the following reasons:

The attribute was explicitly set via the prctl(2) PR_SET_DUMPABLE operation.
The attribute was reset to the value in the file /proc/sys/fs/suid_dumpable.

The default value in /proc/sys/fs/suid_dumpable is 0. The reasons that the dumpable attribute may be reset to the value in the suid_dumpable file are described in the prctl(2) manual page:

The process's effective user or group ID is changed.
The process's filesystem user or group ID is changed.
The process executes a set-user-ID or set-group-ID program, or a program that has capabilities.

Related Solutions

Linux – What causes /proc//* resources to become owned by root, despite the procs being launched as a normal user

Linux has a system call, which will change the dumpable flag. Here is some example code, which I wrote several years ago:

#include <sys/prctl.h>
...
/* The last three arguments are just padding, because the
 * system call requires five arguments.
 */
prctl(PR_SET_DUMPABLE,1,42,42,42);

It may be that gnome-keyring-daemon deliberately set the dumpable flag to zero for security reasons.

Linux – Why does a process of a binary with only execute permission remain hidden in “ps” when using hidepid=2, if the user is not root

The answer is (or at least starts) in fs/proc/base.c (unchanged from kernel 3.12 to 4.2 at least)

742 static int proc_pid_permission(struct inode *inode, int mask)
743 {
744         struct pid_namespace *pid = inode->i_sb->s_fs_info;
745         struct task_struct *task;
746         bool has_perms;
747 
748         task = get_proc_task(inode);
749         if (!task)
750                 return -ESRCH;
751         has_perms = has_pid_permissions(pid, task, 1);
752         put_task_struct(task);
753 
754         if (!has_perms) {
755                 if (pid->hide_pid == 2) {
756                         /*
757                          * Let's make getdents(), stat(), and open()
758                          * consistent with each other.  If a process
759                          * may not stat() a file, it shouldn't be    seen
760                          * in procfs at all.
761                          */
762                         return -ENOENT;
763                 }
764 
765                 return -EPERM;
766         }
767         return generic_permission(inode, mask);
768 }

The code above is the starting point for determining if a specific /proc/PID entry can been seen to exist or not. When hide_pid is set to 2 it returns -ENOENT if you don't have the required permission. Permissions are checked via:

has_pid_permissions() → ptrace_may_access() → __ptrace_may_access()

__ptrace_may_access() denies access because the process is not "dumpable" as it was created from an unreadable executable image, as determined during process creation:

setup_new_exec() → would_dump()

1118 void would_dump(struct linux_binprm *bprm, struct file *file)
1119 {
1120         if (inode_permission(file_inode(file), MAY_READ) < 0)
1121                 bprm->interp_flags |= BINPRM_FLAGS_ENFORCE_NONDUMP;
1122 }

Best Answer

Related Solutions

Linux – What causes /proc//* resources to become owned by root, despite the procs being launched as a normal user

Linux – Why does a process of a binary with only execute permission remain hidden in “ps” when using hidepid=2, if the user is not root

Related Question