Subject: Re: Why not track our xsrc with X11R6.6 from X.org?
To: None <current-users@netbsd.org>
From: Greg A. Woods <woods@weird.com>
List: current-users
Date: 07/19/2001 15:29:09
[ On Thursday, July 19, 2001 at 11:16:01 (-0700), Andrey Petrov wrote: ]
> Subject: Re: Why not track our xsrc with X11R6.6 from X.org?
>
> On Thu, Jul 19, 2001 at 01:13:34AM -0400, R. C. Dowdeswell wrote:
> > And, to clarify that statement a little bit, there are certain memory
> > protections that reasonable Unices put even on root level processes, i.e.
> > you can't look at memory in other processes.  This protection allows a
> 
> What about /dev/(k)mem, procfs, ptrace?

- procfs is another thing that was added to the system without
  understanding the full consequences (and that's true right back to the
  original AT&T implementations, though at least a few of those bugs
  have since been fixed in most implemenations).

- now that more proper sysctl interfaces are available for most former
  kmem grovellers /dev/[k]mem should probably not be readable if
  securelevel >= 2.

- ptrace is a major hole for root to slip through.  It should probably
  be completely disabled at securelevel >= 2 too, or at least limited
  for use on processes actually started (not effectively running as) the
  calling user....

-- 
							Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods@acm.org>     <woods@robohack.ca>
Planix, Inc. <woods@planix.com>;   Secrets of the Weird <woods@weird.com>