Linux – What causes /proc//* resources to become owned by root, despite the procs being launched as a normal user

kernellinuxprocprocess

I've noticed that some procs, such as bash, have their entire /proc/<pid>/ resources readable by the user who created that proc. However other procs, such as chrome or gnome-keyring-daemon, have most of their /proc/<pid>/ resources only accessible by root, despite the process itself being owned by the normal user and no suid being called.

I dug through the kernel a bit and found that the /proc/ stuff gets limited if a task lacks a 'dumpable' flag, however I'm having a hard time understanding under what scenarios a task becomes undumpable (other than the setuid case, which doesn't apply to chrome or gnome-keyring):

https://github.com/torvalds/linux/blob/164c09978cebebd8b5fc198e9243777dbaecdfa0/fs/proc/base.c#L1532

Anyone care to help me understand the underlying mechanism and the reasons for it?

Thanks!

Edit:

Found a good doc on why you wouldn't want to have your SSH agent (such as gnome-keyring-daemon) dumpable by your user. Still not sure how gnome-keyring-daemon is making itself undumpable.

https://github.com/torvalds/linux/blob/164c09978cebebd8b5fc198e9243777dbaecdfa0/Documentation/security/Yama.txt#L30

Best Answer

Linux has a system call, which will change the dumpable flag. Here is some example code, which I wrote several years ago:

#include <sys/prctl.h>
...
/* The last three arguments are just padding, because the
 * system call requires five arguments.
 */
prctl(PR_SET_DUMPABLE,1,42,42,42);

It may be that gnome-keyring-daemon deliberately set the dumpable flag to zero for security reasons.

Related Solutions

Linux – files in /proc/$PID (e.g. ssh-agent, Chrome) are not owned by user but by root

[The following is adapted from text I'm just in the process of adding to the proc(5) manual page, which answers this question.]

The files under /proc/PID are normally owned by the effective user and effective group ID of the process. However, as a security measure, the ownership is made root:root if the process's "dumpable" attribute is set to a value other than 1. [The default value of this attribute is 1. Setting this attribute to 0 causes a process not to produce core dumps, since they may contain sensitive information. Likewise, certain files in /proc/PID can provide access to sensitive information.]

This attribute may change for the following reasons:

The attribute was explicitly set via the prctl(2) PR_SET_DUMPABLE operation.
The attribute was reset to the value in the file /proc/sys/fs/suid_dumpable.

The default value in /proc/sys/fs/suid_dumpable is 0. The reasons that the dumpable attribute may be reset to the value in the suid_dumpable file are described in the prctl(2) manual page:

The process's effective user or group ID is changed.
The process's filesystem user or group ID is changed.
The process executes a set-user-ID or set-group-ID program, or a program that has capabilities.

Linux – Why does a process of a binary with only execute permission remain hidden in “ps” when using hidepid=2, if the user is not root

The answer is (or at least starts) in fs/proc/base.c (unchanged from kernel 3.12 to 4.2 at least)

742 static int proc_pid_permission(struct inode *inode, int mask)
743 {
744         struct pid_namespace *pid = inode->i_sb->s_fs_info;
745         struct task_struct *task;
746         bool has_perms;
747 
748         task = get_proc_task(inode);
749         if (!task)
750                 return -ESRCH;
751         has_perms = has_pid_permissions(pid, task, 1);
752         put_task_struct(task);
753 
754         if (!has_perms) {
755                 if (pid->hide_pid == 2) {
756                         /*
757                          * Let's make getdents(), stat(), and open()
758                          * consistent with each other.  If a process
759                          * may not stat() a file, it shouldn't be    seen
760                          * in procfs at all.
761                          */
762                         return -ENOENT;
763                 }
764 
765                 return -EPERM;
766         }
767         return generic_permission(inode, mask);
768 }

The code above is the starting point for determining if a specific /proc/PID entry can been seen to exist or not. When hide_pid is set to 2 it returns -ENOENT if you don't have the required permission. Permissions are checked via:

has_pid_permissions() → ptrace_may_access() → __ptrace_may_access()

__ptrace_may_access() denies access because the process is not "dumpable" as it was created from an unreadable executable image, as determined during process creation:

setup_new_exec() → would_dump()

1118 void would_dump(struct linux_binprm *bprm, struct file *file)
1119 {
1120         if (inode_permission(file_inode(file), MAY_READ) < 0)
1121                 bprm->interp_flags |= BINPRM_FLAGS_ENFORCE_NONDUMP;
1122 }

Best Answer

Related Solutions

Linux – files in /proc/$PID (e.g. ssh-agent, Chrome) are not owned by user but by root

Linux – Why does a process of a binary with only execute permission remain hidden in “ps” when using hidepid=2, if the user is not root

Related Question