Date: Sun, 5 Dec 2004 22:56:47 -0500 From: Garance A Drosihn <drosih@rpi.edu> To: Pawel Jakub Dawidek <pjd@freebsd.org>, freebsd-arch@freebsd.org Cc: cperciva@freebsd.org Subject: Re: ps -e without procfs(5). Message-ID: <p06200745bdd981a17851@[128.113.24.47]> In-Reply-To: <20041130231236.GD56431@darkness.comp.waw.pl> References: <20041130231236.GD56431@darkness.comp.waw.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
At 12:12 AM +0100 12/1/04, Pawel Jakub Dawidek wrote: >Hello. > >I need some testing for this patch: > > http://people.freebsd.org/~pjd/patches/ps-e.patch > >It allows to use 'ps -e' without procfs(5) mounted. > >I decided to disable this functionality by default, because procfs(5) >is also disabled by default and some people may already depend on the >fact, that environment is a secret by default. >To see the effects, you need to increase sysctl kern.ps_env_cache_limit >to for example 1024. I think it is true that procfs was mounted by default in 4.x, so I am not sure we need to start the system with kern.ps_env_cache_limit set to 0. Note that there are (or were?) other protections in `ps' such that non-root users can only see the environment variables for their own processes. They can't see them for processes owned by other users. And in 5.x, if procfs *is* mounted then users can't even see environment variables of their own processes if sysctl security.bsd.unprivileged_proc_debug is set to 0 (it defaults to 1). I also notice that due to the way your new ability is implemented, nobody can see the environment variables for any process which was started up before the kern.ps_env_cache_limit is set. I tried to set it in /boot/loader.conf.local, but that didn't seem to work. (that may have been due to an error on my part, though). Hmm. And actually, your new version does seem to allow users to see the environment variables of processes they do not own, once the new sysctl is turned on. That would not be a good change to make. -- Garance Alistair Drosehn = gad@gilead.netel.rpi.edu Senior Systems Programmer or gad@freebsd.org Rensselaer Polytechnic Institute or drosih@rpi.edu
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?p06200745bdd981a17851>