Re: Bits from the Security Team
previously on this list Matthias Urlichs contributed:
> > I did a „setcap cap_sys_ptrace+eip
> > /usr/lib/nagios/plugins/check_procs”, but a normal user can’t still
> > check for running programs of another user.
> >
> > What did I wrong?
> >
> check_procs is a script, not a "real" executable.
>
> Since starting an interpreter with capabilities (or setuid, for that
> matter) of a script involves a race condition (kernel starts interpreter
> with script's rights, Joe Badass replaces the script with something
Is it writable by others than root?
I don't know the details of hidepid but the grsecurity patch has similar?
functionality and lets users see their own processes or a group see them
all.
________________________________________________________________________________
+menu "Filesystem Protections"
+depends on GRKERNSEC
+
+config GRKERNSEC_PROC
+ bool "Proc restrictions"
+ help
+ If you say Y here, the permissions of the /proc filesystem
+ will be altered to enhance system security and privacy. You MUST
+ choose either a user only restriction or a user and group restriction.
+ Depending upon the option you choose, you can either restrict users to
+ see only the processes they themselves run, or choose a group that can
+ view all processes and files normally restricted to root if you choose
+ the "restrict to user only" option. NOTE: If you're running identd or
+ ntpd as a non-root user, you will have to run it as the group you
+ specify here.
+
+config GRKERNSEC_PROC_USER
+ bool "Restrict /proc to user only"
+ depends on GRKERNSEC_PROC
+ help
+ If you say Y here, non-root users will only be able to view their own
+ processes, and restricts them from viewing network-related information,
+ and viewing kernel symbol and module information.
+
+config GRKERNSEC_PROC_USERGROUP
+ bool "Allow special group"
+ depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
+ help
+ If you say Y here, you will be able to select a group that will be
+ able to view all processes and network-related information. If you've
+ enabled GRKERNSEC_HIDESYM, kernel and symbol information may still
+ remain hidden. This option is useful if you want to run identd as
+ a non-root user.
+
+config GRKERNSEC_PROC_GID
+ int "GID for special group"
+ depends on GRKERNSEC_PROC_USERGROUP
+ default 1001
+
+config GRKERNSEC_PROC_ADD
+ bool "Additional restrictions"
+ depends on GRKERNSEC_PROC_USER || GRKERNSEC_PROC_USERGROUP
+ help
+ If you say Y here, additional restrictions will be placed on
+ /proc that keep normal users from viewing device information and
+ slabinfo information that could be useful for exploits.
+
+config GRKERNSEC_LINK
+ bool "Linking restrictions"
+ help
+ If you say Y here, /tmp race exploits will be prevented, since users
+ will no longer be able to follow symlinks owned by other users in
+ world-writable +t directories (e.g. /tmp), unless the owner of the
+ symlink is the owner of the directory. users will also not be
+ able to hardlink to files they do not own. If the sysctl option is
+ enabled, a sysctl option with name "linking_restrictions" is created.
--
_______________________________________________________________________
'Write programs that do one thing and do it well. Write programs to work
together. Write programs to handle text streams, because that is a
universal interface'
(Doug McIlroy)
In Other Words - Don't design like polkit or systemd
_______________________________________________________________________
Reply to: