From owner-freebsd-hackers  Sun Nov  7 10:10: 7 1999
Delivered-To: freebsd-hackers@freebsd.org
Received: from green.myip.org (localhost [127.0.0.1])
	by hub.freebsd.org (Postfix) with ESMTP id 7B56114E52
	for <freebsd-hackers@freebsd.org>; Sun,  7 Nov 1999 10:05:49 -0800 (PST)
	(envelope-from green@FreeBSD.org)
Received: from localhost ([127.0.0.1] ident=green)
	by green.myip.org with esmtp (Exim 3.02 #1)
	id 11kCrK-0000Dg-00; Sat, 06 Nov 1999 15:54:51 -0500
Date: Sat, 6 Nov 1999 15:54:50 -0500 (EST)
From: Brian Fundakowski Feldman <green@FreeBSD.org>
X-Sender: green@green.myip.org
To: Warner Losh <imp@village.org>
Cc: "Daniel C. Sobral" <dcs@newsguy.com>,
	David Malone <dwmalone@maths.tcd.ie>, freebsd-hackers@FreeBSD.ORG
Subject: Re: Procfs' pointers to files. 
In-Reply-To: <199911062006.NAA00573@harmony.village.org>
Message-ID: <Pine.BSF.4.10.9911061552120.846-100000@green.myip.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Sat, 6 Nov 1999, Warner Losh wrote:

> There are ways that the user can see the code to execute it, but not
> read it normally.  procfs breaches this inability to read the file.
> Also, there are many related problems which make a proper fix for this
> that is more complicated than removing /proc/xxx/file nearly
> impossible.  "Proper" here means "A fix which will prevent the
> disclosure of a file to unauthorized people which would normally not
> be able to read the file."
> 
> I'm convinced that it would be hard to codify all the security checks
> needed to access the file originally into a single number which would
> allow people that could read the original file to read /proc/xxx/file
> and disallow people who couldn't read the file to also be disallowed
> from reading /proc/xxx/file.

It sounds to me that what you really want are the semantics of a
symbolic link and not the semantics of a hard link.  Is it just me,
or does it seem as if the pathname of the executable being stored as
a virtual symlink in procfs as "file" would solve these security
problems?

-- 
 Brian Fundakowski Feldman           \  FreeBSD: The Power to Serve!  /
 green@FreeBSD.org                    `------------------------------'



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message