tech-security: kern.showallprocs implementation

Subject: kern.showallprocs implementation
To: None <tech-security@netbsd.org>
From: Rui Paulo <alpha1@freeshell.org>
List: tech-security
Date: 06/26/2004 01:56:59
--UlVJffcvxoiEqYs2
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

Greetings.

I've implemented FreeBSD's kern.ps_showallprocs but I renamed the sysctl
variable to kern.showallprocs. If this variable is equal to 0, normal
users (i.e. not root) will only be able to list processes that match
their UID, if its equal to one, no restriction of this type will be
applied. 
The diff is in attachment, although I'm not really sure if `cvs diff` is the
best way to submit diff's to the mailing list.
What do you guys think ? Is it ok ?

Regards,
    Rui Paulo

-- 
  "Simplicity is the ultimate 
    sophistication." 
    -- Leonardo da Vinci      


--UlVJffcvxoiEqYs2
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename=diff

? d
Index: init_sysctl.c
===================================================================
RCS file: /cvsroot/src/sys/kern/init_sysctl.c,v
retrieving revision 1.24.2.4
diff -r1.24.2.4 init_sysctl.c
117a118
> static int sysctl_kern_showallprocs(SYSCTLFN_PROTO);
289a291,297
>         sysctl_createv(clog, 0, NULL, NULL,
> 	               CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
> 	               CTLTYPE_INT, "showallprocs",
> 	               SYSCTL_DESCR("Whether normal users can list all "
> 	                            "processes"),
> 		       sysctl_kern_showallprocs, 0, &showallprocs, 0,
> 		       CTL_KERN, KERN_SHOWALLPROCS, CTL_EOL);
1049a1058,1080
>  * sysctl helper function for kern.showallprocs. allowed values are 0 and 1.
>  */
> static int
> sysctl_kern_showallprocs(SYSCTLFN_ARGS)
> {
> 	int error, nshowallprocs;
> 	struct sysctlnode node;
> 	
> 	nshowallprocs = showallprocs;
> 	node = *rnode;
>         node.sysctl_data = &nshowallprocs;
> 	error = sysctl_lookup(SYSCTLFN_CALL(&node));
> 	if (error || newp == NULL)
> 		return (error);
>         if (nshowallprocs < 0 || nshowallprocs > 1)
> 		return (EINVAL);
> 
> 	showallprocs = nshowallprocs;
> 
> 	return (0);
> }
> 
> /*
1897a1929,1939
>                 /*
> 	 	 * If kern.showallprocs == 0, then skip processes that don't 
> 		 * match the UID of the calling process. Root is allowed to 
> 		 * see every process.
> 		 */
> 		if (!showallprocs)
> 			if (l->l_proc->p_ucred->cr_uid) 
> 				if (p->p_ucred->cr_uid != 
> 					l->l_proc->p_ucred->cr_uid)
> 						continue;
> 				
Index: kern_sysctl.c
===================================================================
RCS file: /cvsroot/src/sys/kern/kern_sysctl.c,v
retrieving revision 1.169.2.6
diff -r1.169.2.6 kern_sysctl.c
165a166,167
> int showallprocs = 1;
> 

--UlVJffcvxoiEqYs2--