From owner-freebsd-security@FreeBSD.ORG Wed Dec 6 11:10:46 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id EE53C16A403 for ; Wed, 6 Dec 2006 11:10:46 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from pd5mo1so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id F125A43CCB for ; Wed, 6 Dec 2006 11:09:50 +0000 (GMT) (envelope-from cperciva@freebsd.org) Received: from pd4mr4so.prod.shaw.ca (pd4mr4so-qfe3.prod.shaw.ca [10.0.141.215]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0J9U003HVK4D4V90@l-daemon> for freebsd-security@freebsd.org; Wed, 06 Dec 2006 03:07:25 -0700 (MST) Received: from pn2ml3so.prod.shaw.ca ([10.0.121.147]) by pd4mr4so.prod.shaw.ca (Sun Java System Messaging Server 6.2-7.05 (built Sep 5 2006)) with ESMTP id <0J9U00LFFK4C04G1@pd4mr4so.prod.shaw.ca> for freebsd-security@freebsd.org; Wed, 06 Dec 2006 03:07:25 -0700 (MST) Received: from hexahedron.daemonology.net ([24.82.18.31]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with SMTP id <0J9U004J9K4CRWJ1@l-daemon> for freebsd-security@freebsd.org; Wed, 06 Dec 2006 03:07:24 -0700 (MST) Received: (qmail 3701 invoked from network); Wed, 06 Dec 2006 10:07:16 +0000 Received: from unknown (HELO ?127.0.0.1?) (127.0.0.1) by localhost with SMTP; Wed, 06 Dec 2006 10:07:16 +0000 Date: Wed, 06 Dec 2006 02:07:16 -0800 From: Colin Percival In-reply-to: <200612060933.kB69XErN083086@freefall.freebsd.org> To: freebsd security Message-id: <45769654.5050307@freebsd.org> MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 7bit X-Enigmail-Version: 0.94.0.0 References: <200612060933.kB69XErN083086@freefall.freebsd.org> User-Agent: Thunderbird 1.5 (X11/20060416) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-06:25.kmem X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Dec 2006 11:10:47 -0000 FreeBSD Security Advisories wrote: > FreeBSD-SA-06:25.kmem Security Advisory > The FreeBSD Project > ... > III. Impact > > A user in the "operator" group can read the contents of kernel memory. > Such memory might contain sensitive information, such as portions of > the file cache or terminal buffers. This information might be directly > useful, or it might be leveraged to obtain elevated privileges in some > way; for example, a terminal buffer might include a user-entered > password. For what it's worth, there was a lot of debate about whether this deserved an advisory: Members of the operator group are allowed (by default, at least) to read raw disk devices, so being able to read kernel memory really isn't very much of a privilege escalation. In the end I decided to go ahead with this advisory largely because we were already planning on issuing an advisory this week (for a far more serious issue in GNU tar), but if a similar issue arises next month, we might decide not to bother with an advisory. I'd be interested to hear opinions from the FreeBSD community about whether this sort of issue is one which anyone really cares about. Colin Percival FreeBSD Security Officer