From owner-freebsd-security Wed Nov 24 8: 1:19 1999 Delivered-To: freebsd-security@freebsd.org Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (Postfix) with ESMTP id E6C661525E; Wed, 24 Nov 1999 08:01:00 -0800 (PST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (harmony.village.org [10.0.0.6]) by rover.village.org (8.9.3/8.9.3) with ESMTP id JAA13435; Wed, 24 Nov 1999 09:00:57 -0700 (MST) (envelope-from imp@harmony.village.org) Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id JAA20734; Wed, 24 Nov 1999 09:01:20 -0700 (MST) Message-Id: <199911241601.JAA20734@harmony.village.org> To: Poul-Henning Kamp Subject: Re: ps on 4.0-current Cc: freebsd-current@FreeBSD.ORG, security@FreeBSD.ORG In-reply-to: Your message of "Wed, 24 Nov 1999 09:11:20 +0100." <33189.943431080@critter.freebsd.dk> References: <33189.943431080@critter.freebsd.dk> Date: Wed, 24 Nov 1999 09:01:20 -0700 From: Warner Losh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <33189.943431080@critter.freebsd.dk> Poul-Henning Kamp writes: : In message <199911240801.BAA19058@harmony.village.org>, Warner Losh writes: : : >Not all will agree with this, and it is a change from the past so : >there needs to be a sysctl to control this. And given that it is a : >radical change from the past, it needs to default to open. : : Now, I can't tell if you wore the security-master hard-hat in this : email or not, and I see some quite divergent australian positions, : so I will sit tight until I see a little bit more of a consensus. It was with my hat on, but lemme explain a little how I got here. Before the recent changes to ps, procfs used to not disclose the command line. When it was modified to be used with a ps that didn't need to be set[gu]id it lost this. I wanted to see it restored for those people that had depended on this, but realized that it would be unpopular (and unnecessary) for many people. As part of the change to restore the behavior, I wanted the sysctl. Now that it is half there, I'd like the other half to complete the picture. The reason that it was a big deal to me was that on the old system if you turned off the setuidness of ps, w, et al you would block disclosure of args/env vars, etc, but still have access to process lists. With the change, there was no way to do this which represented a weakening of the overall system on the whole, despite the strenth added by taking the setgid bit off ps. sef has sent me patches that I've not had a chance to review that appear to implement this. Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message