From owner-freebsd-hackers Sun Aug 10 11:43:41 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id LAA05931 for hackers-outgoing; Sun, 10 Aug 1997 11:43:41 -0700 (PDT) Received: from shell.firehouse.net (brian@shell.firehouse.net [209.42.203.45]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id LAA05918 for ; Sun, 10 Aug 1997 11:43:36 -0700 (PDT) Received: from localhost (brian@localhost) by shell.firehouse.net (8.8.5/8.8.5) with SMTP id OAA19141; Sun, 10 Aug 1997 14:43:22 -0400 (EDT) Date: Sun, 10 Aug 1997 14:43:22 -0400 (EDT) From: Brian Mitchell To: Eivind Eklund cc: Alfred Perlstein , hackers@FreeBSD.ORG Subject: Re: Fix for the PROCFS security hole! In-Reply-To: <199708101539.RAA05202@bitbox.follo.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-hackers@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Sun, 10 Aug 1997, Eivind Eklund wrote: > > > > > > I'm not to sure how to do it, but IF the procfs system could be modified > > to somehow act like the /dev/tty* system, where the second a user > > logs on the device is then owned by them and all other users access is > > revoked. This could work that a setuid proc when exec'd, procfs would > > automatically change permissions on it so that it is untainable. > > Possibly. It seems somewhat difficult, though, as when you have a > file-descriptor I believe the access is only checked the moment you > open the file, not on each access. Thus, you can e.g. drop root > privileges after having bound to a privileged port. > > It might be possible to hack only procfs to actually do that checking, > though. Seems the most feasible way to solve this. > > Eivind. > Well, what I thought was: When you open a procfs 'file', set the ptraced flag. Every 'file' should check to make sure this flag is still set, if not return an error. kern_exec already checks for the existance of this flag and removes it for set[ug]id programs.