From owner-freebsd-questions@FreeBSD.ORG Wed Dec 17 06:27:54 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6A82B16A4CE for ; Wed, 17 Dec 2003 06:27:54 -0800 (PST) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id CD23C43D4C for ; Wed, 17 Dec 2003 06:27:43 -0800 (PST) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [127.0.0.1]) hBHEQuTA008208 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 17 Dec 2003 14:27:40 GMT (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost)id hBHEQusr008207; Wed, 17 Dec 2003 14:26:56 GMT (envelope-from matthew) Date: Wed, 17 Dec 2003 14:26:56 +0000 From: Matthew Seaman To: Kris Kennaway Message-ID: <20031217142656.GA8039@happy-idiot-talk.infracaninophile.co.uk> Mail-Followup-To: Matthew Seaman , Kris Kennaway , flux , freebsd-questions@freebsd.org References: <1171291996.20031217144207@hotbox.ru> <20031217121218.GB6325@happy-idiot-talk.infracaninophile.co.uk> <20031217140932.GA36294@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="SLDf9lqlvOQaIe6s" Content-Disposition: inline In-Reply-To: <20031217140932.GA36294@xor.obsecurity.org> User-Agent: Mutt/1.5.5.1i X-Spam-Status: No, hits=-4.9 required=5.0 tests=AWL,BAYES_00 autolearn=ham version=2.60 X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on happy-idiot-talk.infracaninophile.co.uk cc: flux cc: freebsd-questions@freebsd.org Subject: Re: /proc directory X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Dec 2003 14:27:54 -0000 --SLDf9lqlvOQaIe6s Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Dec 17, 2003 at 06:09:32AM -0800, Kris Kennaway wrote: > On Wed, Dec 17, 2003 at 12:12:18PM +0000, Matthew Seaman wrote: >=20 > > Basically you mount it on your system, which lets a bunch of stuff > > work properly, and you then ignore it for ever more. Unless you're > > particularly concerned about security, in which case, you don't mount > > it and do without the stuff that needs it to run. Note that mounting > > the /proc directory is only a risk in the eyes of the most utterly > > paranoid administrators. >=20 > You're downplaying the security implications quite remarkably there: > procfs has been the source of numerous local root vulnerabilities over > the years, which should be a concern to anyone with untrusted local > users. Hmmm... On reflection, and after reading through the list of security advisories, then yes. It is entirely possible that there still exist vulnerabilities in the /proc system and you shouldn't use it on a multi-user system where you don't trust all of the users. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way PGP: http://www.infracaninophile.co.uk/pgpkey Marlow Tel: +44 1628 476614 Bucks., SL7 1TH UK --SLDf9lqlvOQaIe6s Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/4GewdtESqEQa7a0RAoqNAJ4iMHOeolInoUjcuXIjGpB3HH9O2ACgiA3N W95u/hGFr3DmWAasORZ5JjM= =OIQ9 -----END PGP SIGNATURE----- --SLDf9lqlvOQaIe6s--