From owner-freebsd-security  Sun Dec 22 23:21:23 1996
Return-Path: <owner-security>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.4/8.8.4) id XAA22671
          for security-outgoing; Sun, 22 Dec 1996 23:21:23 -0800 (PST)
Received: from hydrogen.nike.efn.org (resnet.uoregon.edu [128.223.170.28])
          by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id XAA22653
          for <freebsd-security@FreeBSD.org>; Sun, 22 Dec 1996 23:21:12 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by hydrogen.nike.efn.org (8.8.3/8.8.3) with SMTP id WAA12564; Sun, 22 Dec 1996 22:50:39 -0800 (PST)
Date: Sun, 22 Dec 1996 22:50:37 -0800 (PST)
From: John-Mark Gurney <jmg@nike.efn.org>
Reply-To: John-Mark Gurney <gurney_j@resnet.uoregon.edu>
To: David Greenman <dg@root.com>
cc: Victor Rotanov <vitjok@fasts.com>, cschuber@uumail.gov.bc.ca,
        freebsd-security@FreeBSD.org
Subject: Re: seems like procfs bug... 
In-Reply-To: <199612230047.QAA23206@root.com>
Message-ID: <Pine.NEB.3.95.961222224854.10846B-100000@hydrogen.nike.efn.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-security@FreeBSD.org
X-Loop: FreeBSD.org
Precedence: bulk

On Sun, 22 Dec 1996, David Greenman wrote:

> >> > Heres the problem:
> >> > 
> >> > There is r-xr-xr-x file in rwx------ directory.
> >> > When i run it, everyone is able to read it from /proc/<PID>/file.
> >> > Seems like a bug, eh?
> >> > 
> >> 
> >> 
> >> Maybe I'm missing something.  I can't reproduce your problem on my 2.1.5
> >> systems.
> >
> >I'm running 2.2 and i never tried this on 2.1.5.
> 
>    2.1.5 had the 'file' disabled because it didn't work right. We should
> probably kill it in 2.2, too, but only because it isn't very useful and
> (as you've pointed out) creates a security hole.

why not change the default permision to what the file was? or at least
owned by root and 0600?  because even though a path is useful... what
happens if some one simply "replaces" the binary on the disk....  with the
file you can nab a copy of a possible snifer program ever after the
"hacker" has removed it from the drive...  just a few thoughts...  ttyl..

John-Mark

gurney_j@efn.org
http://resnet.uoregon.edu/~gurney_j/
Modem/FAX: (541) 683-6954   (FreeBSD Box)

Live in Peace, destroy Micro$oft, support free software, run FreeBSD (unix)