Date: Tue, 3 Aug 1999 16:46:01 -0700 From: "David O'Brien" <obrien@NUXI.com> To: ports@freebsd.org Subject: (FWD) HASSECURITY too secure? Message-ID: <19990803164601.A38693@dragon.nuxi.com>
next in thread | raw e-mail | index | archive | help
What are people's opinions on this issues concerning LSOF? ----- Forwarded message from Vic Abell ----- Date: Tue, 3 Aug 1999 08:06:39 -0500 Subject: HASSECURITY too secure? Recently Craig Leres wrote this: > > I've noticed that if I am in group kmem and run a non-setuid lsof > binary, I can only look at processes owned by me. It seems like > this restriction should only apply when running set user or group > id, don't you think? Please consider the appended patch. I gave it some thought over the course of further e-mail exchanges with Craig and his colleague, Jef Poskanzer, and decided to decline to make the changes Craig requested. Since Craig and Jef remain unconvinced that my position is correct, I thought I'd put the question to you readers of lsof-l to get your thoughts and opinions. Craig's position is stated in the above citation. My position is that HASSECURITY functions exactly as described in 00README and the change Craig proposes would affect people who rely on the documented HASSECURITY behavior. 00README says: If the symbol HASSECURITY is defined, a security mode is enabled, and lsof will allow only the root user to list all open files. Non-root users may list only open files whose processes have the same user ID as the real user ID of the lsof process (the one that its user logged on with). I know there are ports packages (e.g., FreeBSD and maybe Debian Linux) that patch machine.h to activate HASSECURITY, and I'm not comfortable changing the effect of HASSECURITY because of them. What could be done, given sufficient interest in such a feature, would be to establish a new HASSECURITY level (or a new feature definition altogether) that would do what Craig and Jef want. I think that doing so would probably take more effort to change peripheral pieces and documentation than the basic changes Craig has supplied, and I'm not yet convinced I should spend time on it. A minor objection is that the change would be slightly different for the lsof implementations (/proc-based Linux, Pyramid DC/OSx, and Pyramid Reliant UNIX) that already need root permission. In both cases, the change would have to determine if the executing process had other permissions (i.e., access to /dev/kmem or read permission to /proc files) that made continuing past the traditional HASSECURITY block practical. So what do you think? Is such a change worth considering and spending (my) time and effort? If you think a change would be useful, what should be changed; should HASSECURITY be changed the way Craig suggests; or should there be a new security option? Vic ----- End forwarded message ----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ports" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990803164601.A38693>