Latest working kernel version: Earliest failing kernel version: Distribution:Opensuse 10.2 Hardware Environment:Vmware Software Environment: Problem Description: Can not access files in /proc when switching from root to non-root Steps to reproduce: When logged in as a normal user it is not possible to access links in /proc/{pid}/ where {pid} is the process id of a root process. This is despite all file and link permissions should allow the user to access the link. Example: # id uid=0(root) gid=0(root) groups=0(root) # echo $$ 13924 # ls -al /proc/13924 total 0 dr-xr-xr-x 6 root root 0 2008-02-28 12:16 . dr-xr-xr-x 128 root root 0 2008-02-18 20:11 .. dr-xr-xr-x 2 root root 0 2008-02-28 19:59 attr -r-------- 1 root root 0 2008-02-28 19:59 auxv --w------- 1 root root 0 2008-02-28 19:59 clear_refs -r--r--r-- 1 root root 0 2008-02-28 12:16 cmdline -r--r--r-- 1 root root 0 2008-02-28 19:59 cpuset lrwxrwxrwx 1 root root 0 2008-02-28 19:59 cwd -> /root -r-------- 1 root root 0 2008-02-28 19:59 environ lrwxrwxrwx 1 root root 0 2008-02-28 12:16 exe -> /lib/ast/bin/ksh dr-x------ 2 root root 0 2008-02-28 19:59 fd dr-x------ 2 root root 0 2008-02-28 19:59 fdinfo -rw-r--r-- 1 root root 0 2008-02-28 19:59 loginuid -r--r--r-- 1 root root 0 2008-02-28 19:59 maps -rw------- 1 root root 0 2008-02-28 19:59 mem -r--r--r-- 1 root root 0 2008-02-28 19:59 mounts -r-------- 1 root root 0 2008-02-28 19:59 mountstats -rw-r--r-- 1 root root 0 2008-02-28 19:59 oom_adj -r--r--r-- 1 root root 0 2008-02-28 19:59 oom_score lrwxrwxrwx 1 root root 0 2008-02-28 19:59 root -> / -rw------- 1 root root 0 2008-02-28 19:59 seccomp -r--r--r-- 1 root root 0 2008-02-28 19:59 smaps -r--r--r-- 1 root root 0 2008-02-28 19:59 stat -r--r--r-- 1 root root 0 2008-02-28 12:16 statm -r--r--r-- 1 root root 0 2008-02-28 12:16 status dr-xr-xr-x 3 root root 0 2008-02-28 19:59 task -r--r--r-- 1 root root 0 2008-02-28 19:59 wchan 1) The directory /proc/13924 allows everybody to read the content. 2) The link (exe, cwd and root) are also readable by everybody. 3) The file the link point to /root, /lib/ast/bin/ksh and / are also readable by everybody BUT when I list the directory as a normal user I get a permisssion denied. markus@Opensuse:~> id uid=1000(markus) gid=100(users) groups=16(dialout),33(video),100(users) markus@Opensuse:~> ls -al /proc/13924 ls: cannot read symbolic link /proc/13924/cwd: Permission denied ls: cannot read symbolic link /proc/13924/root: Permission denied ls: cannot read symbolic link /proc/13924/exe: Permission denied total 0 dr-xr-xr-x 6 root root 0 2008-02-28 12:16 . dr-xr-xr-x 128 root root 0 2008-02-18 20:11 .. dr-xr-xr-x 2 root root 0 2008-02-28 19:59 attr -r-------- 1 root root 0 2008-02-28 19:59 auxv --w------- 1 root root 0 2008-02-28 19:59 clear_refs -r--r--r-- 1 root root 0 2008-02-28 12:16 cmdline -r--r--r-- 1 root root 0 2008-02-28 19:59 cpuset lrwxrwxrwx 1 root root 0 2008-02-28 19:59 cwd -r-------- 1 root root 0 2008-02-28 19:59 environ lrwxrwxrwx 1 root root 0 2008-02-28 12:16 exe dr-x------ 2 root root 0 2008-02-28 19:59 fd dr-x------ 2 root root 0 2008-02-28 19:59 fdinfo -rw-r--r-- 1 root root 0 2008-02-28 19:59 loginuid -r--r--r-- 1 root root 0 2008-02-28 19:59 maps -rw------- 1 root root 0 2008-02-28 19:59 mem -r--r--r-- 1 root root 0 2008-02-28 19:59 mounts -r-------- 1 root root 0 2008-02-28 19:59 mountstats -rw-r--r-- 1 root root 0 2008-02-28 19:59 oom_adj -r--r--r-- 1 root root 0 2008-02-28 19:59 oom_score lrwxrwxrwx 1 root root 0 2008-02-28 19:59 root -rw------- 1 root root 0 2008-02-28 19:59 seccomp -r--r--r-- 1 root root 0 2008-02-28 19:59 smaps -r--r--r-- 1 root root 0 2008-02-28 19:59 stat -r--r--r-- 1 root root 0 2008-02-28 12:16 statm -r--r--r-- 1 root root 0 2008-02-28 12:16 status dr-xr-xr-x 3 root root 0 2008-02-28 19:59 task -r--r--r-- 1 root root 0 2008-02-28 19:59 wchan This has consequences that application fail to work. An example is when perl is used under root and the effective id has changed using $> perl can not any more access its own binary when spawning processes as perl tries to access /proc/self/exe (which points to /usr/bin/perl) and fails. This stops application to work (like Radiator a perl based radius server) on SLES10/OpenSuses whereas other platforms like OpenSolaris/Solaris 10 work fine. I also don't see a security reason for the denied permission as all other files are fully accessible by the non root user. Regards Markus See also https://bugzilla.novell.com/show_bug.cgi?id=365738
chroot(), binaries in directories whose permissions are open to the user but whose directories above prevent the /proc using user reaching it via normal means
FWIW I am seeing this happen for none of the above-mentioned reasons. Not chrooting, no SELinux, no apparmor or whatever, kernel 2.6.24. I think the main problem is how hard it is to diagnose and identify why the permission is denied. $ id uid=1000(timo) gid=1009(quakelive) [..] $ ls -1l /usr/local/alienbrain total 8044 -rwxrwxr-x 1 root staff 1126824 2007-04-25 11:49 ab [..] $ ls -1l /proc/19405 ls: cannot read symbolic link /proc/19405/cwd: Permission denied # ls -1l /proc/19405 [..] lrwxrwxrwx 1 timo timo 0 2008-10-28 12:14 cwd -> /usr/local/alienbrain