[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [MiNT] Was: /proc, will be: /sys



Hi,

On Mon, Nov 15, 1999 at 04:36:56PM +0100, Konrad M. Kokoszkiewicz wrote:
> 
> > Do we?
> > 
> > My complaint here is that the whole point of defining a proper interface for
> > requesting process information is that you *don't* have to be root to use
> > it. And requiring ps.ttp to have root permissions will not work for people
> > with FAT filesystems...
> 
> Well, you're partially right. But actually, I see this as a feature: when
> Fopen() fails on processes not belonging to root etc., I can
> restrict/allow (by setting/clearing +s for ps) reading this information by
> users, provided I am a root on a multiuser setup connected to the public
> network. So I can decide if ps displays all the information, or only an
> information about processes belonging to the user who invoked ps.

The question is if it makes sense to restrict access to any information
that the ps command provides.  IMHO it doesn't.

> The other thing is, that when we use a limited filesystem (like FAT is),
> we must accept its limited features. Un*x like filesystems do have +s, FAT
> does not, and here you have an advantage of using Un*x-like FS instead of
> (or: in addition to) FAT. 

It should be unnecessary to run ps setuid root (see above, my personal
opionion).  Suid programs require a lot of attention if they should not
compromise security.

You don't solve security problems by preventing ordinary users from
peeking into other processes' environment.  You do so by avoiding the
installation of programs that hold sensitive data in the environment.

BTW, this is not an academic discussion.  In the new filesystem that
allows access to process specific data (was "/sys" and is now "/kern" by
the way) I followed "my" approach: Even ordinary users can have a glimpse
at every other process' command line, at its environment, and they can
read a lot of data like controlling tty, process group id, cpu time and so
on.  This is information that every ps command I know of on other systems
provides to every user.  If you consider that a security problem for
certain users (a classical example would be an anonymous ftp account) you
can always avoid that by running that particular user's login shell chroot
(and make sure that "/kern" is outside that user's filesystem root).

Ciao

Guido
-- 
http://stud.uni-sb.de/~gufl0000/
mailto:gufl0000@stud.uni-sb.de