Date: Wed, 10 Oct 2001 14:43:04 -0700 (PDT) From: Matt Dillon <dillon@earth.backplane.com> To: Dag-Erling Smorgrav <des@ofug.org> Cc: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>, cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG Subject: Re: cvs commit: src/sys/kern kern_proc.c kern_prot.c uipc_socket.c uipc_usrreq.c src/sys/netinet raw_ip.c tcp_subr.c udp_usrreq.c Message-ID: <200110102143.f9ALh4E22413@earth.backplane.com> References: <200110092140.f99LeVA74145@freefall.freebsd.org> <xzp7ku3h6c8.fsf@flood.ping.uio.no> <200110101522.f9AFM0S63283@khavrinen.lcs.mit.edu> <xzpy9mjfq4z.fsf@flood.ping.uio.no>
next in thread | previous in thread | raw e-mail | index | archive | help
:Garrett Wollman <wollman@khavrinen.lcs.mit.edu> writes:
:> <<On 10 Oct 2001 17:17:59 +0200, Dag-Erling Smorgrav <des@ofug.org> said:
:> > > "Unprivileged processes may see subjects/objects with different real uid"
:> > Would people mind a lot if this variable defaulted to 0?
:> Hell yes.
:
:That's not a constructive response.
:
:To me, the ability of unprivileged users to obtain information about
:other users' processes and sockets is
:
: a) unnecessary
: b) a violation of privacy
: c) a security risk
:
:Unless you can provide an argument showing that this is necessary to
:the correct operation of a FreeBSD system, I'll simply ignore your
:contribution to this discussion.
:
:DES
:--
:Dag-Erling Smorgrav - des@ofug.org
The number of times I or some other user on a multi-user system has
had to track down a resource hog and notify the sysops is uncountable.
Specifically, at BEST, our users helped us a great deal in regards to
policing the shell machines precisely because they could monitor other
user's processes through 'ps' and friends. A lot of blame that would
have otherwise fallen on us instead fell on the people responsible for
causing the problem, which is good.
I would argue that there are several levels of visibility here that
could be governed by sysctl's. For example, if we take 'fstat' and 'ps'
I would say that a user in the wheel group should have full access to
both, while a user outside of wheel perhaps should only have access to
'ps'. That's just an example.
Either way, it's obvious to me that the correct solution is to create
sysctl variables to govern access levels for root, wheel, and non-wheel
users. In -stable it should absolutely default to full access, simply
because nobody has shown any pressing security issues that would require
us to pull full access. In -current it could be argued that other
defaults are reasonable.
There was one security issue with 'ps' in the past, and that was the 'e'
option. If you take a look at 'ps' now you will note that, in fact,
we do not display the environment for processes not owned by the user
doing the ps. I know of no other security issues, not even with fstat.
-Matt
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200110102143.f9ALh4E22413>