Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 15 Jun 2011 09:22:21 -0700
From: Randy Dunlap <rdunlap@...otime.net>
To: Vasiliy Kulikov <segoon@...nwall.com>
Cc: linux-kernel@...r.kernel.org, kernel-hardening@...ts.openwall.com,
 Andrew Morton <akpm@...ux-foundation.org>, Greg Kroah-Hartman
 <gregkh@...e.de>, "David S. Miller" <davem@...emloft.net>, Arnd Bergmann
 <arnd@...db.de>, Nikanth Karthikesan <knikanth@...e.de>, David Rientjes
 <rientjes@...gle.com>, Matt Mackall <mpm@...enic.com>,
 linux-doc@...r.kernel.org
Subject: Re: [RFC 5/5 v3] procfs: add documentation for procfs mount options

On Wed, 15 Jun 2011 17:58:19 +0400 Vasiliy Kulikov wrote:

> Add documentation for procfs mount options.
> 
> Signed-off-by: Vasiliy Kulikov <segoon@...nwall.com>
> ---
>  Documentation/filesystems/proc.txt |   51 ++++++++++++++++++++++++++++++++++++
>  1 files changed, 51 insertions(+), 0 deletions(-)
> 
> diff --git a/Documentation/filesystems/proc.txt b/Documentation/filesystems/proc.txt
> index f481780..327a640 100644
> --- a/Documentation/filesystems/proc.txt
> +++ b/Documentation/filesystems/proc.txt
> @@ -41,6 +41,8 @@ Table of Contents
>    3.5	/proc/<pid>/mountinfo - Information about mounts
>    3.6	/proc/<pid>/comm  & /proc/<pid>/task/<tid>/comm
>  
> +  4	Configuring procfs
> +  4.1	Mount options
>  
>  ------------------------------------------------------------------------------
>  Preface
> @@ -1541,3 +1543,52 @@ a task to set its own or one of its thread siblings comm value. The comm value
>  is limited in size compared to the cmdline value, so writing anything longer
>  then the kernel's TASK_COMM_LEN (currently 16 chars) will result in a truncated
>  comm value.
> +
> +
> +------------------------------------------------------------------------------
> +Configuring procfs
> +------------------------------------------------------------------------------
> +
> +4.1	Mount options
> +---------------------
> +
> +The following mount options are supported:
> +
> +	hidepid=	Set /proc/<pid>/ access mode.
> +	hidenet		Hide /proc/<pid>/net/ from nonauthorized users.
> +	nohidenet	Don't hide /proc/<pid>/net/ from nonauthorized users.
> +	gid=		Set the group authorized to learn processes and
> +			networking information.
> +
> +hidepid=0 means classic mode - everybody may access all /proc/<pid>/ directories
> +(default).
> +
> +hidepid=1 means users may not access any /proc/<pid>/ directories, but their

comma not needed above.

> +own.  Sensitive files like cmdline, io, sched*, status, wchan are now protected
> +against other users.  This makes impossible to learn whether any user runs

                              makes it impossible

> +specific program (given the program doesn't reveal itself by its behaviour).
> +As an additional bonus, as /proc/<pid>/cmdline is unaccessible for other users,
> +poorly written programs passing sensitive information via program arguments are
> +now protected against local eavesdroppers.
> +
> +hidepid=2 means hidepid=1 plus all /proc/<pid>/ will be fully invisible to other
> +users.  It doesn't mean that it hides a fact whether a process with a specific

                           that it hides whether a process

> +pid value exists (it can be learned by other means, e.g. by sending signals),
> +but it hides process' uid and gid, which may be learned by stat()'ing
> +/proc/<pid>/ otherwise.  It greatly complicates intruder's task of gathering info

                                                   an intruder's

I would also prefer "information" instead of "info" (globally).

> +about running processes, whether some daemon runs with elevated privileges,
> +whether other user runs some sensitive program, whether other users run any

   whether another user runs

> +program at all, etc.
> +
> +hidenet means /proc/<pid>/net/ will be accessible to processes with
> +CAP_NET_ADMIN capability or to members of a special group.  It means
> +nonauthorized users may not learn any networking connections information.  If
> +network namespaces support is enabled (CONFIG_NET_NS=y) then common users would
> +obtain net directory, but all files would indicate no networking activity at
> +all.  If network namespaces are disabled, net directory is unaccessible to
> +common users.
> +
> +gid= means group authorized to learn processes information prohibited by
> +hidepid= and networking information prohibited by hidenet.  If you use some
> +daemon like identd which have to learn information about net/processes

                      which has to learn

> +information, just add identd to this group.
> -- 


---
~Randy
*** Remember to use Documentation/SubmitChecklist when testing your code ***

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.