Hi!
Unless I am mistaken a process currently needs CAP_SYS_PTRACE to read
/proc/$PID/exe for abritrary processes. Does that make sense? Could
that be relaxed? Is there any reason to limit access to that link at
all? To me the data from /proc/$PID/cmdline seems to be far more
worthy to be protected than /proc/$PID/exe, or am I missing something?
Tbh, looking at the code I don't really get where CAP_SYS_PTRACE seems
to be required, but experimenting from userspace this seems to be the
case.
Lennart
--
Lennart Poettering Red Hat, Inc.
lennart [at] poettering [dot] net
http://0pointer.net/lennart/ GnuPG 0x1A015CC4
On Tue, Jul 21, 2009 at 6:52 PM, Lennart Poettering<[email protected]> wrote:
> Hi!
>
> Unless I am mistaken a process currently needs CAP_SYS_PTRACE to read
> /proc/$PID/exe for abritrary processes.
You mean "readlink'?
> Does that make sense? Could
> that be relaxed? Is there any reason to limit access to that link at
> all? To me the data from /proc/$PID/cmdline seems to be far more
> worthy to be protected than /proc/$PID/exe, or am I missing something?
>
> Tbh, looking at the code I don't really get where CAP_SYS_PTRACE seems
> to be required, but experimenting from userspace this seems to be the
> case.
Another annoying thing is that sometimes processes cannot open
their own /proc/self/fd/N. Example:
# setuidgid 200:200 cat /proc/self/fd/0
cat: /proc/self/fd/0: Permission denied
In real life this happened when I wanted to redirect apache's
log to stderr. The config directive only allowed redirecting
to a file, so I specified /proc/self/fd/2. It does not work
if apache drops root after startup.
--
vda
On Tue, 21.07.09 19:06, Denys Vlasenko ([email protected]) wrote:
>
> On Tue, Jul 21, 2009 at 6:52 PM, Lennart Poettering<[email protected]> wrote:
> > Hi!
> >
> > Unless I am mistaken a process currently needs CAP_SYS_PTRACE to read
> > /proc/$PID/exe for abritrary processes.
>
> You mean "readlink'?
Yes.
Lennart
--
Lennart Poettering Red Hat, Inc.
lennart [at] poettering [dot] net
http://0pointer.net/lennart/ GnuPG 0x1A015CC4