Subject: Re: ps /proc changes (CVS commit: src)
To: None <firstname.lastname@example.org>
From: Greg A. Woods <email@example.com>
Date: 03/27/1999 13:08:10
[ On Saturday, March 27, 1999 at 10:51:51 (-0600), Brian C. Grayson wrote: ]
> Subject: Re: ps /proc changes (CVS commit: src)
> On Sat, Mar 27, 1999 at 10:44:19AM +0100, Bernd Ernesti wrote:
> > I think that is not enough. You have to check that /proc is an procfs.
> > It is just to easy to fake processes for an intruder without replacing ps.
> How about a getmntinfo() call, followed by a check that:
> a) a "procfs" is mounted on /proc
> b) nothing else has a mount point beginning with /proc.
That seems OK, but is fraught with opportunities for races. Perhaps if
procfs didn't make its sub-directories owned by the process owner then
the second check would be unnecessary and assuming secure permissions
for / and /proc then only the first check would be necessary and all
race conditions should be avoided, I think.
> Can we be any more sure than that? I'm not an FS guru or even
> FS knowledgeable, and I haven't tried these out, but aren't
> these security holes:
> 1. If an intruder has write access to /dev/kmem, they could fake
If an intruder has write access to /dev/*mem then you may as well forget
abou the system. It's irrelevant at that point whether ps uses
/dev/kmem or /proc -- the system is totally hosed and you should just
newfs and re-install from original CDs (even backups may be hosed,
depending on how long the compromise had been successfully hidden).
> It _appears_ to me (now -- thanks for pointing this out!) that
> /kern and /proc are inherently insecure, no matter what you do.
> sysctl is the One True Way, unfortunately. :)
If you s/sysctl/system call/ then maybe I'd agree in part.... ;-)
> > There is no way to disable the /proc search when there is a problem between
> > the ps binary and the kernel.
> Okay, I'll add an option for that: -K, for do KVM-based
> method only.
Which of course will totally disable ps in the situation described, but
I guess if you're paranoid then a good solid wall is better than a
painting that attempts to look like a window on the real world. ;-)
Greg A. Woods
+1 416 218-0098 VE3TCP <firstname.lastname@example.org> <robohack!woods>
Planix, Inc. <email@example.com>; Secrets of the Weird <firstname.lastname@example.org>