tech-userlevel: Re: ps /proc changes (CVS commit: src)

Subject: Re: ps /proc changes (CVS commit: src)
To: None <tech-userlevel@netbsd.org>
From: Greg A. Woods <woods@most.weird.com>
List: tech-userlevel
Date: 03/27/1999 13:08:10

[ On Saturday, March 27, 1999 at 10:51:51 (-0600), Brian C. Grayson wrote: ]
> Subject: Re: ps /proc changes (CVS commit: src)
>
> On Sat, Mar 27, 1999 at 10:44:19AM +0100, Bernd Ernesti wrote:
> > 
> > I think that is not enough. You have to check that /proc is an procfs.
> > 
> > It is just to easy to fake processes for an intruder without replacing ps.

Easy?  ;-)

>   How about a getmntinfo() call, followed by a check that:
> a) a "procfs" is mounted on /proc
> b) nothing else has a mount point beginning with /proc.

That seems OK, but is fraught with opportunities for races.  Perhaps if
procfs didn't make its sub-directories owned by the process owner then
the second check would be unnecessary and assuming secure permissions
for / and /proc then only the first check would be necessary and all
race conditions should be avoided, I think.

>   Can we be any more sure than that?  I'm not an FS guru or even
> FS knowledgeable, and I haven't tried these out, but aren't
> these security holes:
>   1.  If an intruder has write access to /dev/kmem, they could fake

If an intruder has write access to /dev/*mem then you may as well forget
abou the system.  It's irrelevant at that point whether ps uses
/dev/kmem or /proc -- the system is totally hosed and you should just
newfs and re-install from original CDs (even backups may be hosed,
depending on how long the compromise had been successfully hidden).

>   It _appears_ to me (now -- thanks for pointing this out!) that
> /kern and /proc are inherently insecure, no matter what you do.
> sysctl is the One True Way, unfortunately.  :)

If you s/sysctl/system call/ then maybe I'd agree in part....   ;-)

> > There is no way to disable the /proc search when there is a problem between
> > the ps binary and the kernel.
> 
>   Okay, I'll add an option for that:  -K, for do KVM-based
> method only.

Which of course will totally disable ps in the situation described, but
I guess if you're paranoid then a good solid wall is better than a
painting that attempts to look like a window on the real world.  ;-)

-- 
							Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods@acm.org>      <robohack!woods>
Planix, Inc. <woods@planix.com>; Secrets of the Weird <woods@weird.com>