Re: /proc paranoia patch (1.2.13)

Marek Michalkiewicz (
Thu, 28 Sep 1995 21:22:00 +0100 (MET)

Ian Jackson:
> I've been worried about security holes in the procfs - both real and
> potential - for some time. It seems, for example, sometimes to forget
> to change the ownerships of files like /proc/<pid>/fd when processes
> become undumpable (eg, by exec'ing setuid programs), and there have
> been reports of a security hole involving /proc/<pid>/mem and mmap.

I wrote the patch to change the owner of /proc files to root if the
dumpable flag is cleared. Could you tell me some more details what
is wrong, how to reproduce the problem?

> I'd very much appreciate it if my patch were considered for inclusion
> in the standard kernel. It is so simple that it is unlikely to have
> any bugs that make matters worse than they are already.

I hope to see 1.2.14 soon too; there are a few other problems reported.
Here is a list just to make sure they are not forgotten (this happened
to /proc - the proc(4) man page last updated for 1.1.45 (!) says in the
BUGS section: "The /proc file system totally destroys the security of
your system. This needs fixing before 1.2", but in fact it was not
fixed before 1.2, unfortunately).

- /proc/<pid>/mem and mmap, strace reboot
- MAP_DENYWRITE denial of service, do it only files executable by user?
- IP firewalling: header overwrite
- setuid/setgid bits not cleared when the file is written by non-owner

Maybe we should have an official kernel bug database (like the one for
the Debian distribution) to make sure no bug is forgotten?

> (I have had to do one rather nasty hack: the procfs doesn't have a
> member of the superblock per-filesystem info union, so I have encoded
> the paranoid option into the root directory's sticky bit.)

Maybe we should add such a member for proc (this is not critical so it
might go in 1.3.x only) - it would be much easier to add new proc mount
options. Another mount option which would be useful is to allow the user
to see information about their own processes only. I have an account on
an old (but C2) SCO box which does just that: I can't see any processes
not owned by me using ps or w. This would be especially nice for programs
which need passwords as arguments (like smbclient).