From owner-freebsd-security  Mon Aug 11 12:34:19 1997
Return-Path: <owner-freebsd-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id MAA24877
          for security-outgoing; Mon, 11 Aug 1997 12:34:19 -0700 (PDT)
Received: from shell.firehouse.net (brian@shell.firehouse.net [209.42.203.45])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id MAA24867;
          Mon, 11 Aug 1997 12:34:12 -0700 (PDT)
Received: from localhost (brian@localhost)
	by shell.firehouse.net (8.8.5/8.8.5) with SMTP id PAA23926;
	Mon, 11 Aug 1997 15:31:58 -0400 (EDT)
Date: Mon, 11 Aug 1997 15:31:58 -0400 (EDT)
From: Brian Mitchell <brian@firehouse.net>
To: Sean Eric Fagan <sef@Kithrup.COM>
cc: ache@nagual.pp.ru, bde@zeta.org.au, current@FreeBSD.ORG,
        security@FreeBSD.ORG
Subject: Re: procfs patch
In-Reply-To: <199708111545.IAA08497@kithrup.com>
Message-ID: <Pine.BSI.3.95.970811153015.23837E-100000@shell.firehouse.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

On Mon, 11 Aug 1997, Sean Eric Fagan wrote:

> >Just close the procfs file descriptors on exec?
> 
> I thought about doing that.  But I decided it was both too invasive, and too
> bothersome -- a root process would gets its fd's close, and it probably
> shouldn't.

Maybe not. If you are root and execute a setuid program, is P_SUGID set? I
would think not, but I have not checked.

> 
> As I said, what I've got now should provide no more risks than dumping core
> does.  Well, it allows for some greater control -- my truss program is not
> SUID root, and needs to be able to read process memory.  But since the
> process should be owned by the user, I don't have a problem with it.
> 
> Sean.
> 

Now -- how about disallowing access if the binary is unreadable :)