Klaus Klein wrote:

> Noriyuki Soda <soda@sra.co.jp> writes:
> 
> > >>>>> On Fri, 02 May 2003 23:24:58 +1000,
> > 	Simon Burge <simonb@wasabisystems.com> said:
> > 
> > >> And that might open another security problem
> > >> because any user can query the owner of any TCP connection now.
> > 
> > > I don't have any idea of security implications of this.  Anyone know
> > > better?
> > 
> > It has been possible before TCPCTL_IDENT, by just using /usr/bin/fstat.
> 
> But unlike TCPCTL_IDENT, fstat can be restricted easily by changing
> its file permissions (albeit coarsely).

Hmm.

I'd like to commit something based on the new code, as uses the
traditional sysctl() method of passing the query only in the MIB.

I can see three ways forward:

 a)  Use the current patch, but has a possible security implication.

 b)  Add an "is root" check to give current in-tree behaviour.

 c)  Add a knob (sysctl, kernel compile time?) to enable non-root
     lookups.

I also have plans to one day convert fstat to using sysctl()s, so
we're going to strike this problem again one day.

Maybe a number of sysctl's under kern.security?  These could also
control allowing non-root users to look up process info for other
users, etc...

Maybe b) for now and I'll look at fleshing out c)?

Simon.
--
Simon Burge                            <simonb@wasabisystems.com>
NetBSD Support and Service:         http://www.wasabisystems.com/