Richard L. Hamilton wrote:
> AFAIK, a command needs root (or process owner, or perhaps some fine-grained
> permission?) to obtain environment variables of other processes, so that could
> be clamped down on. But /proc makes /proc/*/psinfo publically readable,
> so anybody can see anyone's command line arguments.
> What if /proc provided two different views of the contents of a psinfo file,
> depending on whether the reader was {the same euid as the process owner,
> root, or had some fine-grained permission}? The unprivileged reader would
> see it as if pr_psargs had the same contents as pr_fname, while the privileged
> reader would see it as now, with the greater detail.
/usr/ucb/ps has root permissions, so normal end users can see
environment variables of other user's processes through it.
In any case, the policy is for all Sun products, not just those
part of Solaris, so has to cover applications that may run on
older versions of Solaris than any change you propose, and on
OS'es we can't change.
The part I left out of the short summary ("Don't accept passwords
in command line options or environment variables, since programs
like ps, pargs, and penv can snoop those.") was "If you need to
allow for non-interactive use to provide a password, pass it in
a file you can make non-readable by others." Given such a
simple to implement alternative, it hardly seems worth going through
much trouble to make it secure to store passwords in environment
variables only on new Solaris releases.
Whether your idea has merit for other reasons is something to
discuss on security-discuss, not arc-discuss. (The ARC policy
was set a few years ago, I was just requesting publication on
opensolaris.org of the existing policy so that community projects
would know the rules they'd be expected to follow.)
--
-Alan Coopersmith- alan.coopersmith at sun.com
Sun Microsystems, Inc. - X Window System Engineering
