From owner-freebsd-current Sun Apr 28 13: 0:36 2002 Delivered-To: freebsd-current@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 2203737B41D for ; Sun, 28 Apr 2002 13:00:08 -0700 (PDT) Received: from fledge.watson.org (fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.11.6/8.11.6) with SMTP id g3SJxiw03277; Sun, 28 Apr 2002 15:59:45 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Sun, 28 Apr 2002 15:59:44 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Richard Arends Cc: Kris Kennaway , current@FreeBSD.ORG Subject: Re: truss In-Reply-To: <20020428210839.J52867-100000@mail.unixguru.nl> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sun, 28 Apr 2002, Richard Arends wrote: > > I think truss is one of the last stragglers that relies on it -- > > the other is 'ps -e', which gropes through the memory of each process to > > dig out the environmental variables. This requires that ps both have > > substantial privilege, and that procfs be present. > > Can't we take the privileges away, so that an user only can see his own > procs and only root can see all?? It's a little more complicated than that. The problem was that procfs provided extremely broad access to the system, but without much granularity. Mostly this meant that if you had root privilege, you could do whatever you wanted, and otherwise, you got a reasonable view of the system (modulo the countless security holes in procfs). So the problem was that ps ran with a lot of privilege -- generally root or 'gid kmem' which amounts to much the same thing. This meant that gating of process information happened in the ps command, or at least, with the help of the ps command deciding not to get around the information gating. In FreeBSD 4.0, this responsibility happens both in userland and the kernel -- the kernel makes some effort to limit access via procfs, but largely allows privileged processes access to most things. So the ps command implemented the limit on what processes you could extract environmental information from. In FreeBSD 5.0, all this information is exported from the kernel using the sysctl() interface, which provides much more information gating, and flexibe policy controls. This exists in part in 4.x, but not completely. In 5.0, ps requires no special privilege, and access control is done entirely in the kernel. However, giving up the ability to grope through the memory of other processes by giving up procfs does limit that one capability -- listing environmental variables. For ps to display this information, either it has to extract it using a kernel facility (such as procfs), or the kernel has to extract it and provide it to ps. So far, we've had to rule out the first due to the security issues, but the second hasn't been implemented. It's not clear there's enough interest in it that someone has felt motivated to do so. Patches would be accepted here, but I think there's some concensus it's not really a necessary feature, and it also raises a lot of security issues of its own (you'd be surprised what ends up in environmental variables, and how hard it is to keep policy in sync between userland and kernel). BTW, 5.0 will also allow (once we commit the MAC framework from the TrustedBSD Project) kernel modules to tweak process visibility protections in the kernel at runtime. For example, you can kldload a mac_seeotheruids.ko policy module, which can limit what processes can view of other processes based on a number of factors, including uids, and information it tags onto the processes. It can also limit access to socket information listed in netstat, etc. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message