From owner-freebsd-security@FreeBSD.ORG  Mon Mar  1 06:33:34 2004
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id C495A16A4CE
	for <freebsd-security@freebsd.org>;
	Mon,  1 Mar 2004 06:33:34 -0800 (PST)
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 4CB8443D41
	for <freebsd-security@freebsd.org>;
	Mon,  1 Mar 2004 06:33:34 -0800 (PST)
	(envelope-from robert@fledge.watson.org)
Received: from fledge.watson.org (localhost [127.0.0.1])
	by fledge.watson.org (8.12.10/8.12.10) with ESMTP id i21EWRDL080920;
	Mon, 1 Mar 2004 09:32:28 -0500 (EST)
	(envelope-from robert@fledge.watson.org)
Received: from localhost (robert@localhost)i21EWRe5080917;
	Mon, 1 Mar 2004 09:32:27 -0500 (EST)
	(envelope-from robert@fledge.watson.org)
Date: Mon, 1 Mar 2004 09:32:27 -0500 (EST)
From: Robert Watson <rwatson@freebsd.org>
X-Sender: robert@fledge.watson.org
To: Andy Gilligan <andy@glbx.net>
In-Reply-To: <20040301125053.GA94405@vega.glbx.net>
Message-ID: <Pine.NEB.3.96L.1040301092941.62987H-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
cc: freebsd-security@freebsd.org
Subject: Re: procfs + chmod = no go
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Mar 2004 14:33:34 -0000


On Mon, 1 Mar 2004, Andy Gilligan wrote:

> > Why?  They can get the same information from ps(1) or the kern.proc
> > sysctl tree.
> > 
> > (in 5.2, you can set security.bsd.see_other_uid to 0 to prevent users
> > from seeing other users' processes)
> 
> Surely kern.ps_showallprocs would accomplish the same thing in 4.x ? 

kern.ps_showallprocs changes the behavior of the ps(1) command and kernel
sysctls for process listing, but does not provide comprehensive coverage
against probing using kill(2), ptrace(2), and other system calls which
report different protection errors when pointed at undesired targets,
procfs, linprocfs, etc.  In 5.x, we centralized inter-process access
control, improving both its consistency and our ability to instrument it
with new policies as part of the MAC Framework.  So there is a pretty
strong quantitative difference between kern.ps_showallprocfs in 4.x and
security.bsd.see_other_uids in 5.x.  These changes would be fairly
straight forward to backport, but would be complicated by the fact that
procfs in 4.x and procfs in 5.x are substantially different. 

Robert N M Watson             FreeBSD Core Team, TrustedBSD Projects
robert@fledge.watson.org      Senior Research Scientist, McAfee Research