Linux file permission

Question

There is a process which is running under root user.

ps aux | grep ProcessX
root     11565  0.0  0.7  82120 22976 ?        Ssl  14:57   0:02 ProcessX

Now ls -l /proc/11565/ (pid ) gives this result.

total 0
dr-xr-xr-x 2 root root 0 Aug  9 16:06 attr
-rw-r--r-- 1 root root 0 Aug  9 16:06 autogroup
-r-------- 1 root root 0 Aug  9 16:06 auxv
-r--r--r-- 1 root root 0 Aug  9 16:06 cgroup
--w------- 1 root root 0 Aug  9 16:06 clear_refs
-r--r--r-- 1 root root 0 Aug  9 16:06 cmdline
-rw-r--r-- 1 root root 0 Aug  9 16:06 coredump_filter
-r--r--r-- 1 root root 0 Aug  9 16:06 cpuset
lrwxrwxrwx 1 root root 0 Aug  9 16:06 cwd -> /usr/local/bin
-r-------- 1 root root 0 Aug  9 16:06 environ
lrwxrwxrwx 1 root root 0 Aug  9 16:06 exe -> /usr/local/bin/ProcessX
dr-x------ 2 root root 0 Aug  9 16:06 fd
dr-x------ 2 root root 0 Aug  9 16:06 fdinfo
-r-------- 1 root root 0 Aug  9 16:06 io
-rw------- 1 root root 0 Aug  9 16:06 limits
-rw-r--r-- 1 root root 0 Aug  9 16:06 loginuid
-r--r--r-- 1 root root 0 Aug  9 16:06 maps
-rw------- 1 root root 0 Aug  9 16:06 mem
-r--r--r-- 1 root root 0 Aug  9 16:06 mountinfo
-r--r--r-- 1 root root 0 Aug  9 16:06 mounts
-r-------- 1 root root 0 Aug  9 16:06 mountstats
dr-xr-xr-x 6 root root 0 Aug  9 16:06 net
-r--r--r-- 1 root root 0 Aug  9 16:06 numa_maps
-rw-r--r-- 1 root root 0 Aug  9 16:06 oom_adj
-r--r--r-- 1 root root 0 Aug  9 16:06 oom_score
-rw-r--r-- 1 root root 0 Aug  9 16:06 oom_score_adj
-r--r--r-- 1 root root 0 Aug  9 16:06 pagemap
-r--r--r-- 1 root root 0 Aug  9 16:06 personality
lrwxrwxrwx 1 root root 0 Aug  9 16:06 root -> /
-rw-r--r-- 1 root root 0 Aug  9 16:06 sched
-r--r--r-- 1 root root 0 Aug  9 16:06 schedstat
-r--r--r-- 1 root root 0 Aug  9 16:06 sessionid
-r--r--r-- 1 root root 0 Aug  9 16:06 smaps
-r--r--r-- 1 root root 0 Aug  9 16:06 stack
-r--r--r-- 1 root root 0 Aug  9 16:06 stat
-r--r--r-- 1 root root 0 Aug  9 16:06 statm
-r--r--r-- 1 root root 0 Aug  9 16:06 status
-r--r--r-- 1 root root 0 Aug  9 16:06 syscall
dr-xr-xr-x 6 root root 0 Aug  9 16:06 task
-r--r--r-- 1 root root 0 Aug  9 16:06 wchan

Now the file permission for both status and maps are same (-r--r--r--). But when I issue cat /proc/11565/maps with a non privileged (not root) user, it gives me a permission denied. But for cat /proc/11565/status, it outputs as expected.

Is there something I am missing here?

Answer 1

It's because the file permissions are not the only protection you're encountering.

Those aren't just regular text files on a file system, procfs is a window into process internals and you have to get past both the file permissions plus whatever other protections are in place.

The maps show potentially dangerous information about memory usage and where executable code is located within the process space. If you look into ASLR, you'll see this was a method of preventing potential attackers from knowing where code was loaded and it wouldn't make sense to reveal it in a world-readable entry in procfs.

This protection was added way back in 2007:

This change implements a check using "ptrace_may_attach" before allowing access to read the maps contents. To control this protection, the new knob /proc/sys/kernel/maps_protect has been added, with corresponding updates to the procfs documentation.

Within ptrace_may_attach() (actually within one of the functions it calls) lies the following code:

if (((current->uid != task->euid) ||
     (current->uid != task->suid) ||
     (current->uid != task->uid) ||
     (current->gid != task->egid) ||
     (current->gid != task->sgid) ||
     (current->gid != task->gid))     && !capable(CAP_SYS_PTRACE))
   return -EPERM;

so that, unless you have the same real user/group ID, saved user/group ID and effective user/group ID (i.e., no sneaky setuid stuff) and they're the same as the user/group ID that owns the process, you're not allowed to see inside that "file" (unless your process has the CAP_SYS_PTRACE capability of course).