port-arm32: Re: ps and top stopped working for ordinary users.

Subject: Re: ps and top stopped working for ordinary users.
To: Ib-Michael Martinsen <imm@nethotel.dk>
From: Mark Brinicombe <mark@causality.com>
List: port-arm32
Date: 05/24/1998 19:52:24

On Sun, 24 May 1998, Ib-Michael Martinsen wrote:

> Hi there!
> 
> Recently the ps and top commands stopped working for ordinary users.
> I am not sure what caused it, but I would very much like to restore
> things to normal without having to re-install RiscBSD.
> 
> The symptoms for the errors were messages like the following:
> 
> imm@nethotel:/home/imm => top   
> kvm_open: /dev/mem: Permission denied
> 
> imm@nethotel:/home/imm => top
> kvm_open: /dev/kmem: Permission denied
> 
> imm@nethotel:/home/imm => top
> kvm_open: /dev/drum: Permission denied
> 
> What I did to circumvent the problems was to change the attributes
> of the device files from
> 
> crw-------   1 root  kmem        1,   0 Mar  2 19:32 drum
> crw-------   1 root  kmem        0,   1 Mar  2 19:32 kmem
> crw-------   1 root  kmem        0,   0 Mar  2 19:32 mem
> 
> to
> 
> crw-r--r--   1 root  kmem        1,   0 Mar  2 19:32 drum
> crw-r--r--   1 root  kmem        0,   1 Mar  2 19:32 kmem
> crw-r--r--   1 root  kmem        0,   0 Mar  2 19:32 mem
> 
> The attributes of ps and top are as follows:
> 
> -r-xr-sr-x  1 bin  kmem  233472 Oct 29  1997 /bin/ps
> -r-xr-xr-x  1 root  wheel  40960 Nov  6  1997 /usr/local/bin/top
> 
> Is my circumvention correct or should I do something else to
> fix the problems?
Nope you should not give world read access to these devices as that is a
serious security hole.

Two problems exists here.
1. The original permissions on the device files are wrong.
2. the permissions and ownership on top are wrong.

what you should do is

chmod 640 /dev/drum
chmod 640 /dev/kmem
chmod 640 /dev/mem
chown bin:kmem /usr/local/bin/top
chmod 2555 /usr/local/bin/top

resulting in

crw-r-----   1 root  kmem        1,   0 Mar  2 19:32 drum
crw-r-----   1 root  kmem        0,   1 Mar  2 19:32 kmem
crw-r-----   1 root  kmem        0,   0 Mar  2 19:32 mem

-r-xr-sr-x  1 bin  kmem  42931 Dec 14 19:01 /usr/local/bin/top

This gives the group kmem read only access to the device files and the
set gid on exec bit means that both ps and top with the gid kmem so that
they are able to read the device files.

Cheers,
				Mark