From owner-freebsd-security Mon Aug 11 02:50:45 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id CAA24585 for security-outgoing; Mon, 11 Aug 1997 02:50:45 -0700 (PDT) Received: from implode.root.com (implode.root.com [198.145.90.17]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id CAA24580; Mon, 11 Aug 1997 02:50:37 -0700 (PDT) Received: from implode.root.com (localhost [127.0.0.1]) by implode.root.com (8.8.5/8.8.5) with ESMTP id CAA12034; Mon, 11 Aug 1997 02:53:05 -0700 (PDT) Message-Id: <199708110953.CAA12034@implode.root.com> To: Sean Eric Fagan cc: current@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: procfs patch In-reply-to: Your message of "Sun, 10 Aug 1997 20:15:52 PDT." <199708110315.UAA14486@freefall.freebsd.org> From: David Greenman Reply-To: dg@root.com Date: Mon, 11 Aug 1997 02:53:05 -0700 Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk >+ /* >+ * XXX >+ * We need to check for KMEM_GROUP because ps is sgid kmem; >+ * not allowing it here causes ps to not work properly. Arguably, >+ * this is a bug with what ps does. We only need to do this >+ * for Pmem nodes, and only if it's reading. This is still not >+ * good, as it may still be possible to grab illicit data if >+ * a process somehow gets to be KMEM_GROUP. Note that this also >+ * means that KMEM_GROUP can't change without editing procfs.h! >+ * All in all, quite yucky. >+ */ >+ >+ if (!CHECKIO(curp, p) && >+ ((curp->p_cred->pc_ucred->cr_gid != KMEM_GROUP) && >+ (uio->uio_rw != UIO_READ)) >+ return EPERM; If I read this right, you allow reads, correct? This would allow access to potentially sensitive information in the setuid process. If the above is changed to fail no matter what the operation, I think your fix should be okay. -DG David Greenman Core-team/Principal Architect, The FreeBSD Project