Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 3 Jun 2011 23:11:53 +0400
From: Solar Designer <solar@...nwall.com>
To: owl-dev@...ts.openwall.com
Cc: Eugene Teo <eugeneteo@...il.com>
Subject: procfs mount options

Vasiliy, Eugene, all -

I welcome suggestions on how to achieve the desired functionality for
procfs in a non-confusing and generic way.  It should support the
following reasonable configuration:

/proc/PID directories restricted to group proc (except for owners and
root, indeed).  However, /proc/cpuinfo and the like unrestricted.
Here's what this looks like on Linux 2.4.x-ow:

dr-xr-x---  3 root    proc         0 Jun  3 22:59 1
...
dr-xr-x---  3 syslogd proc         0 Jun  3 22:59 205
dr-xr-x---  3 klogd   proc         0 Jun  3 22:59 211
...
-r--r--r--  1 root    proc         0 Jun  3 23:00 cpuinfo
...
-r--------  1 root    proc 536743936 Jun  3 23:00 kcore
-r--------  1 root    proc         0 May  5 20:36 kmsg
...
dr-xr-x---  5 root    proc         0 Jun  3 23:00 net
...
-r--r--r--  1 root    proc         0 Jun  3 23:00 uptime
-r--r--r--  1 root    proc         0 Jun  3 23:00 version

Perhaps gid=proc,umask=007 should result in the above for /proc/PID, but
how do we justify it not affecting /proc/cpuinfo, uptime, version (and
many others)?  How do we justify it nevertheless affecting /proc/net (or
should another option do that)?

Indeed, we could set some of these perms with chmod post-mount, but as
discussed this has drawbacks.  So ideally our preferred configuration
(which will be the default on Owl) should be achievable with mount
options alone.

Thanks,

Alexander

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ