Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 8 Nov 2011 00:11:20 +0400
From: Vasiliy Kulikov <>
To: "H. Peter Anvin" <>
Cc: Eric Paris <>,,,,
	Alexey Dobriyan <>,
	Andrew Morton <>,,
	Linus Torvalds <>
Subject: Re: Re: [PATCH] proc: restrict access to

On Mon, Nov 07, 2011 at 11:50 -0800, H. Peter Anvin wrote:
> On 11/07/2011 11:48 AM, Eric Paris wrote:
> > On Mon, Nov 7, 2011 at 2:29 PM, Vasiliy Kulikov <> wrote:
> >> On Mon, Nov 07, 2011 at 11:18 -0800, H. Peter Anvin wrote:
> > 
> >> As to procfs, I see no real need of adding mode/group mount option for
> >> global procfs files (/proc/interrupts, /proc/stat, etc.) - it can be
> >> done by distro specific init scripts (chown+chmod).  I don't mind
> >> against such an option for the convenience, though.
> > 
> > While possible, the chmod+chown 'solutions' just aren't as simple as
> > you pretend.  Every time one creates a chroot environment and mounts
> > /proc it has be manually fixed there as well.  Same thing with a
> > container.  Sure if /proc were something that was only ever mounted
> > one time on a box it wouldn't be so bad, but that's not the case.....
> Yes, for a filesystem that dynamically creates nodes, a static script
> just doesn't work well.  Control options do, like we have for devpts for
> example.

My statement was about static files - /proc/{interrupts,meminfo,stat,cpuinfo}.
They don't change during the system life.  /proc/$PID/* files are indeed
dymanic and the first link in my quoted email was about addition of such
mount options.


Vasiliy Kulikov - bringing security into open computing environments

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.