Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 13 Sep 2010 23:24:06 +0200
From: Willy Tarreau <w@....eu>
To: Marcus Meissner <meissner@...e.de>
Cc: oss-security@...ts.openwall.com, Andrew Morton <akpm@...ux-foundation.org>,
        spender@...ecurity.net, security@...nel.org
Subject: Re: [Security] Re:  /proc infoleaks

On Tue, Sep 07, 2010 at 09:19:03PM +0200, Marcus Meissner wrote:
> > > > or something like a umask for kernel-owned proc
> > > > entries so that you have a polite default and are
> > > > still able to enable it for certain profiling tools
> > > > or whereever you need it.
> > > 
> > > chmod 0440 /proc/slabinfo
> > > 
> > Heh, indeed. :-)
> > Would it be a bad idea to have proc_create() use a more strict
> > mode so it is non-leaking by default?
> 
> Yeah, sane and a bit more strict, defaults are missing.
> 
> The little pieces of information leakage out of the kernel should be fixed,
> to raise the bar for kernel exploits in little steps at a time.

Personally, I don't see why slabinfo could represent a threat.
I'm regularly using it as a normal user just to check where all
my RAM is going from time to time. The more we restrict access to
harmless information, the more we'll have sudoers in the wild for
special users who need special accesses. And sudoers are generally
not as well managed as permissions, believe me ;-)

Cheers,
Willy

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.