Re: Security: information leaks in /proc enable keystroke recovery

[James Morris]

On Sun, 16 Aug 2009, Theodore Tso wrote:

> On Mon, Aug 17, 2009 at 12:31:38AM +0000, David Wagner wrote:
> > 
> > OK.  What about this:
> > 
> > (a) Remove ESP and EIP from /proc/$pid/stat{,us} entirely.  Put them in
> > some other file that is only readable by root and by the owner of the
> > process, but is not world-readable.  We know that ESP and EIP can be used
> > for keystroke recovery, and they are not usually used by administrators,
> > so the first step is to lock them down tightly: there is no downside.
> 
> Agreed.

It might be best to require a capability for this if not root.

The candidates seem to be CAP_SYS_ADMIN and CAP_SYS_PTRACE.

> Maybe we should only be recording the last access and last modified
> time on pseudo-tty's to a second granularity, hmmm?

I can't think of a valid case for finer granularity here, although I guess 
it could be made a sysctl if necessary.

I wonder if there are any other channels?


- James
-- 
James Morris
<jmorris@xxxxxxxxx>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/