Richard L. Hamilton writes:
> AFAIK, a command needs root (or process owner, or perhaps some fine-grained
> permission?) to obtain environment variables of other processes, so that could
> be clamped down on. But /proc makes /proc/*/psinfo publically readable,
> so anybody can see anyone's command line arguments.
>
> What if /proc provided two different views of the contents of a psinfo file,
> depending on whether the reader was {the same euid as the process owner,
> root, or had some fine-grained permission}? The unprivileged reader would
> see it as if pr_psargs had the same contents as pr_fname, while the privileged
> reader would see it as now, with the greater detail.
I agree that it'd be an interesting feature to have.
CR 4758599 (unfortunately not visible on boo due to the 'security'
flag) requested trimming down who could read what out of /proc. It
suggested using a mount option for /proc to restrict the file modes (a
la umask), but an information-hiding mechanism like you're suggesting
would also have served the purpose.
It's currently closed as "will not fix" because, as the evaluator
says, some people may have more stringent security policies than could
be implemented that way, and would require a large number of changes
to /proc-based tools that would stop functioning (or behave
differently) when the information was restricted.
And the evaluator notes that you can set up separate machines,
separate Domains, or separate non-global zones to wall off processes
from each other as well, and those are more effective means of
accomplishing roughly the same thing.
(This likely doesn't belong on arc-discuss ... it should probably be
moved to something more appropriate, such as security-discuss.)
--
James Carlson, KISS Network <james.d.carlson at sun.com>
Sun Microsystems / 1 Network Drive 71.232W Vox +1 781 442 2084
MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677
