So, say some privileged service is reading data from the /proc filesystem. It checks that a process has some PID, and then reads stuff from its subdirectory in /proc. This is of course a TOCTTOU race condition, because the PID may be associated with a different process when the read occurs. e.g. say a privileged server accesses the memory of a client, which runs as a limited user. Noticing this, an attacker 1. Waits for the check 2. Kills the client PID 3. Immediately drops a forkbomb that embeds a nasty payload With a bit of bad luck, the forkbomb may grab the same PID, and the server will be tricked into accessing the payload. By the time the admin has recognized the forkbomb symptoms and forced a reboot, the attacker may have persistent root access. There are some defenses against this already: - Never use procfs from a privileged service - Set reasonable ulimits for everyone to prevent forkbombs, etc. - Make sure PIDs are generate in an unpredictable fashion and this is all quite theoretical, I've never even heard of such an attack in the wild. But keeping things theoretical, I have to ask: how safe are virtual filesystems as a way of accessing process information from userspace? Was the Plan9 "everything is a file" concept naive with respect to security in practice?
