Subject: Re: Bugtraq: procfs hole
To: None <>
From: Andrew Brown <>
List: tech-security
Date: 08/15/1997 11:20:11
>I supped today, but procfs still apears to be volnerable.  I havn't
>looked much at the procfs source yet, but from the comment in the new
>checkioperm(), could the problem be that the exploit doesn't "open the
>memory of a setuid process" so isn't caught by rule 1?.  It opens the
>memory of a normal process (the exploit), which then the process exec's to
>a setuid program after the memory is allready open.

am i wrong in my understanding that procfs is simply "a nice feature",
or do there exist programs that actually use it for something?

wouldn't a simpler solution be to basically effect a revoke(2) on the
"file descriptor" or "vnode" associated with the mem pseudo-file on
each process before it does the exec (maybe even only do this if the
exec is calling a suid program)?  this could be placed in the exec

not that i'm offering to do this myself any time soon.  :)  i'm just
thinking out loud...

>I've e-mailed Jason, but he won't be back until Wednesday.  So the obvious
>intermediate fix is to take procfs out of your kernel.  Obviously,
>removing mount_procfs won't help much.

yes, take it out...leave it out.  until it's fixed.

|-----< "CODE WARRIOR" >-----| (TheMan)        * "ah!  i see you have the internet                               that goes *ping*!"      * "information is power -- share the wealth."