From owner-freebsd-security Tue Aug 12 07:12:47 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id HAA23717 for security-outgoing; Tue, 12 Aug 1997 07:12:47 -0700 (PDT) Received: from cwsys.cwent.com (66@cschuber.net.gov.bc.ca [142.31.240.113]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id HAA23709; Tue, 12 Aug 1997 07:12:36 -0700 (PDT) Received: (from uucp@localhost) by cwsys.cwent.com (8.8.7/8.6.10) id HAA01007; Tue, 12 Aug 1997 07:12:21 -0700 (PDT) Message-Id: <199708121412.HAA01007@cwsys.cwent.com> Received: from localhost.cwent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwent.com, id smtpd001003; Tue Aug 12 14:12:14 1997 Reply-to: cy@uumail.gov.bc.ca X-Mailer: MH To: dg@root.com cc: Sean Eric Fagan , current@freebsd.org, security@freebsd.org Subject: Re: procfs patch In-reply-to: Your message of "Mon, 11 Aug 1997 02:53:05 PDT." <199708110953.CAA12034@implode.root.com> Date: Tue, 12 Aug 1997 07:12:13 -0700 From: Cy Schubert Sender: owner-freebsd-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > >+ /* > >+ * XXX > >+ * We need to check for KMEM_GROUP because ps is sgid kmem; > >+ * not allowing it here causes ps to not work properly. Arguably, > >+ * this is a bug with what ps does. We only need to do this > >+ * for Pmem nodes, and only if it's reading. This is still not > >+ * good, as it may still be possible to grab illicit data if > >+ * a process somehow gets to be KMEM_GROUP. Note that this also > >+ * means that KMEM_GROUP can't change without editing procfs.h! > >+ * All in all, quite yucky. > >+ */ > >+ > >+ if (!CHECKIO(curp, p) && > >+ ((curp->p_cred->pc_ucred->cr_gid != KMEM_GROUP) && > >+ (uio->uio_rw != UIO_READ)) > >+ return EPERM; > > If I read this right, you allow reads, correct? This would allow access to > potentially sensitive information in the setuid process. If the above is > changed to fail no matter what the operation, I think your fix should be > okay. All this patch does, in addition to allowing the "standard" access list access, is allow KMEM_GROUP read access, so IMHO it's almost perfect. Could this be controllable via sysctl, which would be used at boot time with a one-line awk script to get kmem's gid and poke it into the kernel. If this is too risky, e.g. opens up a security hole that could be exploited in another way, we could make this definition, and others like it, as options in the kernel config file, thus allowing the values of special UID's and GID's to be configurable. Any thoughts? Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 UNIX Support OV/VM: BCSC02(CSCHUBER) ITSD BITNET: CSCHUBER@BCSC02.BITNET Government of BC Internet: cschuber@uumail.gov.bc.ca cschuber@bcsc02.gov.bc.ca cy@uumail.gov.bc.ca "Quit spooling around, JES do it."