5

In Linux, every process holds its own file descriptor table, which keeps references to all opened files and file-like devices. This table is managed by the kernel.

Is it possible that a non-privileged user modifies a file descriptor in the file descriptor table of an elevated process so that the file descriptor points to another file?

A Practical Example

Process 1000 runs as root and reads continuously from FD 0 (stdin) to FD 1 (stdout). Process 1001 runs as eve and wants to modify the file descriptor table of PID 1000 so that FD 1 points to /etc/sudoers instead.

Is this possible?

Al Francis
  • 278
  • 1
  • 11
  • Once the process is started, no that's not possible. However, when starting a setuid binary, the creator does control stdin/stdout – paj28 Nov 26 '19 at 12:32
  • @paj28 So if I would run `sudo cat ...`, can I control where stdout is? Or does that depend on `sudo`? –  Nov 26 '19 at 12:40
  • Yeah, you can control it using redirection - `sudo cat topsecret > /tmp/foo` – paj28 Nov 26 '19 at 13:02
  • @paj28 But then the redirection happens inside bash, not on the process. E.g. bash tries to open /tmp/foo with whatever rights the current user has, not with the rights that `cat` has. –  Nov 26 '19 at 13:03
  • Yes, that's correct. I'm just answering the question you asked; this isn't a design flaw or vulnerability – paj28 Nov 26 '19 at 13:09
  • @paj28 But my question is how I can modify the file table of the elevated process. As far as I am aware, a redirection does not actually modify the file table of the process. –  Nov 26 '19 at 13:11
  • "Once the process is started, no that's not possible" – paj28 Nov 26 '19 at 13:12
  • @paj28 That'd be a suitable answer then. –  Nov 26 '19 at 13:19

1 Answers1

0

Once the process is started, this is not possible. As mentioned the only way to do this is via redirection however that happens inside bash (as you've noted in the comments) not inside the process and thus does not fit as a solution for your question.