From owner-freebsd-arch@FreeBSD.ORG Mon Dec 6 09:17:47 2004 Return-Path: Delivered-To: freebsd-arch@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 04F6F16A4CE; Mon, 6 Dec 2004 09:17:47 +0000 (GMT) Received: from darkness.comp.waw.pl (darkness.comp.waw.pl [195.117.238.136]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7FBF543D5F; Mon, 6 Dec 2004 09:17:46 +0000 (GMT) (envelope-from pjd@darkness.comp.waw.pl) Received: by darkness.comp.waw.pl (Postfix, from userid 1009) id 5909EACBCF; Mon, 6 Dec 2004 10:17:44 +0100 (CET) Date: Mon, 6 Dec 2004 10:17:44 +0100 From: Pawel Jakub Dawidek To: Garance A Drosihn Message-ID: <20041206091744.GJ813@darkness.comp.waw.pl> References: <20041130231236.GD56431@darkness.comp.waw.pl> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="W13SgbpmD6bhZUTM" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2i X-PGP-Key-URL: http://people.freebsd.org/~pjd/pjd.asc X-OS: FreeBSD 5.2.1-RC2 i386 cc: cperciva@freebsd.org cc: freebsd-arch@freebsd.org Subject: Re: ps -e without procfs(5). X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Dec 2004 09:17:47 -0000 --W13SgbpmD6bhZUTM Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Dec 05, 2004 at 10:56:47PM -0500, Garance A Drosihn wrote: +> At 12:12 AM +0100 12/1/04, Pawel Jakub Dawidek wrote: +> >Hello. +> > +> >I need some testing for this patch: +> > +> > http://people.freebsd.org/~pjd/patches/ps-e.patch +> > +> >It allows to use 'ps -e' without procfs(5) mounted. +> > +> >I decided to disable this functionality by default, because procfs(5) +> >is also disabled by default and some people may already depend on the +> >fact, that environment is a secret by default. +> >To see the effects, you need to increase sysctl kern.ps_env_cache_limit +> >to for example 1024. +>=20 +> I think it is true that procfs was mounted by default in 4.x, so I +> am not sure we need to start the system with kern.ps_env_cache_limit +> set to 0. Note that there are (or were?) other protections in `ps' +> such that non-root users can only see the environment variables for +> their own processes. They can't see them for processes owned by +> other users. And in 5.x, if procfs *is* mounted then users can't +> even see environment variables of their own processes if sysctl +> security.bsd.unprivileged_proc_debug is set to 0 (it defaults to 1). +>=20 +> I also notice that due to the way your new ability is implemented, +> nobody can see the environment variables for any process which was +> started up before the kern.ps_env_cache_limit is set. I tried to +> set it in /boot/loader.conf.local, but that didn't seem to work. +> (that may have been due to an error on my part, though). (I added an example entry to /etc/sysctl.conf) +> Hmm. And actually, your new version does seem to allow users to see +> the environment variables of processes they do not own, once the new +> sysctl is turned on. That would not be a good change to make. I updated the patch, thanks for your suggestions. PS. In this patch I removed an example entry from sysctl.conf and set cache size to 1024 bytes by default and now I use p_candebug() to protect envs. --=20 Pawel Jakub Dawidek http://www.wheel.pl pjd@FreeBSD.org http://www.FreeBSD.org FreeBSD committer Am I Evil? Yes, I Am! --W13SgbpmD6bhZUTM Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (FreeBSD) iD8DBQFBtCO4ForvXbEpPzQRAtvUAKD2w9TdHZD0PXmtKhukjPrap+oZdACg9dfE JHSE+dEXkFHSwqwx1qGpSSA= =7/Mg -----END PGP SIGNATURE----- --W13SgbpmD6bhZUTM--