Question abt /etc/crash & proc struct
John F Haugh II
jfh at rpp386.cactus.org
Mon Jun 24 23:21:45 AEST 1991
In article <8693 at awdprime.UUCP> mbrown at testsys.austin.ibm.com (Mark Brown) writes:
>shore at theory.TC.Cornell.EDU (Melinda Shore) writes:
>>It is not at all clear what you mean by this. If you mean that no
>>program outside the kernel should be able to access the proc table,
>>that's obviously incorrect. If you mean that the pages containing the
>>proc table should be protected by the mmu, that's less obviously
>>incorrect, but incorrect nevertheless.
>
>[NOTE: most of what I know about the /dev/kmem aspect of system security
>vis-a-vis NCSC standards I learned by word-of-mouth. My opinions on this
>subject, therefore, are not authoritative.]
>
>Not so obvious at all, I've found.
>
>Actually, there are very valid reasons for not allowing user programs
>access to the proc table information (excepting in a very limited
>fashion). They have to do with system security and user information
>security on that system.
>
>Note, for example, that PIDs on the 6000 are assigned in a "random"
>order, to hide information that can (I've been told) be used against
>the system.
>
>Mr. Haugh knows a *lot* more about the details of these issues than I,
>and can probably be persuaded to explicate them....
Gee, thanks. I'll remember your name next time I can find some way
to pick on you ;-)
There is no "real" reason to deny the capability in an abstract sense.
That is, there is no way to construe what the Orange book (or any other
security text for that matter) says to imply that denying access to
the proc structure to all processes is a requirement for system
security.
What the Orange book talks about is authorization to access particular
information. Clearly "write" access must be denied - that much is
spelled out for B1 in section 3.1.3.1.1 - the system must maintain a
"domain" that is free from tampering. Read-only access prevents
tampering, therefore. Section 3.1.2.1 says the system must allow
access to authentication data only to accessed by authorized programs.
Setting the permission bits on the device file and putting people in
the authorized groups (or giving away set-ID privileges) would be
"authorization".
The real reasons for denying access are all "portablity" problems.
Back when I was having this argument with certain architects, their
claim was that the user would have to recompile their non-portable
programs every time the system changed and therefore allowing access
was useless. I maintain that this argument smacks of patronization.
This is precisely what everyone does already, so IBM isn't saving
anyone any time they haven't already committed themselves to spending.
It is good that IBM provided getproc() and getuser(), and I was one
of the people pressing to have both documented - but that is not
enough. The traditional methods for getting at the proc table must
still be supported. There is value in being "the same", just as
there is value in being "different". Preserving de facto standard
access methods is too important to be brushed away by a "value added"
feature.
--
John F. Haugh II | Distribution to | UUCP: ...!cs.utexas.edu!rpp386!jfh
Ma Bell: (512) 255-8251 | GEnie PROHIBITED :-) | Domain: jfh at rpp386.cactus.org
"UNIX signals are not interrupts. Worse, SIGCHLD/SIGCLD is not even a UNIX
signal, it's an abomination." -- Doug Gwyn
More information about the Comp.unix.aix
mailing list