From owner-freebsd-hackers  Sun Aug 10 08:41:06 1997
Return-Path: <owner-freebsd-hackers>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id IAA26378
          for hackers-outgoing; Sun, 10 Aug 1997 08:41:06 -0700 (PDT)
Received: from bitbox.follo.net (eivind@bitbox.follo.net [194.198.43.36])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id IAA26372
          for <hackers@FreeBSD.ORG>; Sun, 10 Aug 1997 08:41:03 -0700 (PDT)
Received: (from eivind@localhost) by bitbox.follo.net (8.8.5/8.7.3) id RAA05202; Sun, 10 Aug 1997 17:39:40 +0200 (CEST)
Date: Sun, 10 Aug 1997 17:39:40 +0200 (CEST)
Message-Id: <199708101539.RAA05202@bitbox.follo.net>
From: Eivind Eklund <perhaps@yes.no>
To: Alfred Perlstein <perlsta@sunyit.edu>
CC: hackers@FreeBSD.ORG
In-reply-to: Alfred Perlstein's message of Sun, 10 Aug 1997 10:19:52 +0000
	(GMT)
Subject: Re: Fix for the PROCFS security hole!
References: <Pine.BSF.3.96.970810101530.7449B-100000@server.local.sunyit.edu>
Sender: owner-freebsd-hackers@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

> 
> 
> I'm not to sure how to do it, but IF the procfs system could be modified
> to somehow act like the /dev/tty* system, where the second a user
> logs on the device is then owned by them and all other users access is
> revoked.  This could work that a setuid proc when exec'd, procfs would
> automatically change permissions on it so that it is untainable.

Possibly.  It seems somewhat difficult, though, as when you have a
file-descriptor I believe the access is only checked the moment you
open the file, not on each access.  Thus, you can e.g. drop root
privileges after having bound to a privileged port.

It might be possible to hack only procfs to actually do that checking,
though.  Seems the most feasible way to solve this.

Eivind.