Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun, 27 Mar 2011 23:45:52 +0400
From: Solar Designer <solar@...nwall.com>
To: owl-dev@...ts.openwall.com
Subject: Re: sysfs facility

Vasiliy,

On Sun, Mar 27, 2011 at 07:05:46PM +0400, Vasiliy Kulikov wrote:
> I've wrote a draft version of sysfs facility for owl-control to restrict
> access to contents of sysfs mount point.  It has only 2 modes - public
> (currently implemented in every distro) and restricted.  It lacks
> a group restriction.
> 
> The same works for procfs (e.g. to fix numerous ASLR infoleaks,
> prevent exploitation of CVE-2011-1020, or just to restrict ps(1)).

Although we had discussed this approach, I never liked it much.  I did
not seriously consider it for Owl.  I think it is better for us to get
support for different sysfs and procfs permission settings into the
kernel.  It could be in the form of sysctl's or maybe mount options -
mode, gid, umask.  Something like:

mount sysfs /sys -t sysfs -omode=700
mount proc /proc -t proc -ogid=110,umask=007

could be our default.  The procfs umask would apply to user-related
entries in /proc only (most importantly, the /proc/<pid> directories),
whereas system-wide things like /proc/cpuinfo would stay world-readable.
If one wants to restrict access to those, they'd use mode=... instead,
which would apply to the procfs root directory entry.  Well, OK, that's
confusing, and then we'd want umask to apply to /proc/net as well...
So maybe a differently named mount option or a sysctl will be better.

I think we should decide on this and propose it upstream.

Even if rejected upstream, we need something like this in our kernel
anyway.  Restricting access to the mount point won't cut it - no
equivalent to restricting /proc/<pid> directories, which is a must for
being able to let ps see the current user's processes only.

So if you asked me whether to create such a control facility or not,
I would reply "no".  Now that you've already spent time on it, I'm not
sure.  What do others think?

Thanks,

Alexander

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.