Date: Wed, 24 Nov 1999 08:03:52 +0000 From: Brian Somers <brian@Awfulhak.org> To: Mike Smith <mike@smith.net.au> Cc: Dan Nelson <dnelson@emsphone.com>, freebsd-current@FreeBSD.ORG, brian@hak.lan.Awfulhak.org Subject: Re: ps on 4.0-current Message-ID: <199911240803.IAA89224@hak.lan.Awfulhak.org> In-Reply-To: Message from Mike Smith <mike@smith.net.au> of "Tue, 23 Nov 1999 21:46:24 PST." <199911240546.VAA00843@dingo.cdrom.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> > In the last episode (Nov 23), Lyndon Nerenberg said:
> > > After you verify that this change isn't going to break things that
> > > assume they can see the *argv list via ps(1). I.e. lightning bolts
> > > that do 'kill -MUMBLE `ps -ax|grep foo`'. Which may not be elegant
> > > style, but sometimes is the only workable solution.
Indeed. There's always a better way, but I've seen countless
production systems that do this all the time. In fact, we've only
recently done away with all the (sysv) ``ps -ef''s where I work.
> > That won't be affected, because anyone that has kill rights to the
> > process will also see the full processname. Now that I think about it,
> > I can't come up with a case where this is really bad. If you're doing
> > ps'es with intent to kill arbitrary processes (in the name of debugging
> > or whatever), you're probably already root.
Or maybe you're a sysadm that's smart enough to use sudo and not run
around with root liability in normal life.
> This was discussed close to death before the changes were committed,
> and the current behaviour (restricted access) has been agreed by
> general consensus to be the most appropriate.
My reading of the thread was ``I'm going to cache ps args to stop all
the delving into user space to do a ps'', ``but what about the -e
option'', ``ok, I'll make that inaccessible unless you have
permission''.
I stopped reading the -e thread because I believe it's a good thing to
restrict this. I completely missed that the conversation had moved
on to ``hey, who needs ps args anyway'', and I'm sure that given the
number of messages posted about the -e restriction, others did too.
> Making this behaviour tunable would be bad; it adds another option
> increasing complexity, and with the proposed default in most cases an
> admin tightening up a system would never know about it in the first
> place, rendering it useless.
>
> I'd strongly recommend leaving things they way they are.
This change in behaviour will break production systems, and I'm
pretty sure that the breakage will be worked around with a quick
``chmod 4555 /bin/ps''. Is this what we want ? Where I work, we've
just done away with all the sysv ``ps -ef'' calls in the system. It
took several weeks and a lot of testing. I'd be pretty miffed if the
OS shoved this down my throat prematurely as a requirement just be
cause I upgraded without knowing of the change.
Further, I assert that this change is just wrong !
Why does setproctitle() now require root privileges if nobody can
see the results ? This is dumb, as the only uid that we're
protecting against is the user that's running setproctitle() !
sendmail/nfs/ppp etc can no longer give normal users information on
what's going on via the command args (ok, you can figure out the nfs
args).
System monitoring scripts will now have to run as root.
In fact, why do the processes owned by other users show up at all ?
The ``you don't need to see their args'' argument can equally apply
to needing to see the entire process.... you can always kill -0 a
process if you need to know if it's running.... or maybe on second
thoughts, we should restrict kill -0 - why should people have this
functionality anyway ?
I believe the knob is required and should default to the way things
were.
Well, that's my opinion. I'll calm down now.
> --
> \\ Give a man a fish, and you feed him for a day. \\ Mike Smith
> \\ Tell him he should learn how to fish himself, \\ msmith@freebsd.org
> \\ and he'll hate you for a lifetime. \\ msmith@cdrom.com
--
Brian <brian@Awfulhak.org> <brian@FreeBSD.org>
<http://www.Awfulhak.org>; <brian@OpenBSD.org>
Don't _EVER_ lose your sense of humour ! <brian@FreeBSD.org.uk>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199911240803.IAA89224>