From owner-cvs-all  Tue Feb 19  3: 6:51 2002
Delivered-To: cvs-all@freebsd.org
Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31])
	by hub.freebsd.org (Postfix) with ESMTP
	id AE9B037B400; Tue, 19 Feb 2002 03:06:44 -0800 (PST)
Received: by flood.ping.uio.no (Postfix, from userid 2602)
	id 685C75341; Tue, 19 Feb 2002 12:06:43 +0100 (CET)
X-URL: http://www.ofug.org/~des/
X-Disclaimer: The views expressed in this message do not necessarily
  coincide with those of any organisation or company with
  which I am or have been affiliated.
X-URL: http://www.ofug.org/~des/
X-Disclaimer: The views expressed in this message do not necessarily
  coincide with those of any organisation or company with
  which I am or have been affiliated.
To: Robert Watson <rwatson@FreeBSD.org>
Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org,
	security-officer@FreeBSD.org
Subject: Re: cvs commit: src/sys/miscfs/procfs procfs_subr.c
References: <Pine.NEB.3.96L.1020218191459.69361L-100000@fledge.watson.org>
	<xzpheod7s2a.fsf@flood.ping.uio.no>
From: Dag-Erling Smorgrav <des@ofug.org>
Date: 19 Feb 2002 12:04:11 +0100
In-Reply-To: <xzpheod7s2a.fsf@flood.ping.uio.no>
Message-ID: <xzpy9hp68d0.fsf@flood.ping.uio.no>
Lines: 24
User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.1
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
List-ID: <cvs-all.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20cvs-all>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20cvs-all>
X-Loop: FreeBSD.ORG

[resent due to Cc: snafu]

Uh, wait, I'm mixing apples and oranges here.  You were talking about
the -STABLE code, while I was talking about the -CURRENT code.  Here's
the breakdown:

 - pseudofs in -CURRENT had a bug where setugid processes' files were
   still readable by the owner of the process, but this is mostly
   cosmetic because procfs' back-end code always calls p_candebug()
   for sensitive files (ctl, mem and *regs).  With yesterday's commit,
   the EPERM is simply thrown earlier.  There was never a security
   problem in this code.

 - procfs in -STABLE had mem set group-writeable, which is a problem
   on systems where several users share a single primary group.  I
   changed the permissions on mem in procfs_subr.c; procfs_access()
   will enforce them.  This is a serious security issue, and merits an
   advisory.

The -STABLE code still lacks defense in depth.  It should be taken out
back and shot.  Unfortunately, I don't know enough about how locking
works in -STABLE to backport pseudofs.

DES
-- 
Dag-Erling Smorgrav - des@ofug.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message