From owner-cvs-all Mon Nov 29 17:29:19 1999 Delivered-To: cvs-all@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id 8D6CF15654; Mon, 29 Nov 1999 17:29:10 -0800 (PST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id SAA06640; Mon, 29 Nov 1999 18:29:06 -0700 (MST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id SAA98529; Mon, 29 Nov 1999 18:29:34 -0700 (MST) Message-Id: <199911300129.SAA98529@harmony.village.org> To: Matthew Dillon Subject: Re: cvs commit: src/sys/i386/conf files.i386 src/sys/kern kern_fork.c src/sys/libkern arc4random.c src/sys/sys libkern.h Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org In-reply-to: Your message of "Mon, 29 Nov 1999 15:44:41 PST." <199911292344.PAA12574@apollo.backplane.com> References: <199911292344.PAA12574@apollo.backplane.com> <199911292239.OAA11977@apollo.backplane.com> <199911292335.QAA97810@harmony.village.org> Date: Mon, 29 Nov 1999 18:29:34 -0700 From: Warner Losh Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk In message <199911292344.PAA12574@apollo.backplane.com> Matthew Dillon writes: : Do you want another example? Fine, then how about this: /proc is : publically readable. You can obtain a list of pid's from that, : figure out which one is new, and still win the race. : : You see? Randomizing pid's is *very* weak security. It increase the amount of work needed to find out the pid in question. This reduces the chances of winning the race to create the symbolic links. The sequential pids make this sort of attack trivial. An attacker, in the case of the recent make -j problem, could guess several files ahead and sprinkle them before make even forked off its jobs. With random pids, an attacker cannot do that and must grovel in /proc for valuable micro/milliseconds and will be less likely to win the race that is here. The window is harder to hit, but it is still possible. It isn't a perfect solution. However, it isn't a "very weak" security. It is better than sequential pids. This is the main reason that we'd like to use mkstemp everywhere, since that ensures that you'll not lose a race. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message