[7664] in bugtraq
Re: ps(1) for freebsd.
daemon@ATHENA.MIT.EDU (JDC)
Thu Aug 13 21:38:02 1998
Mail-Followup-To: BUGTRAQ@netspace.org
Date: Thu, 13 Aug 1998 15:48:42 -0700
Reply-To: JDC <yoshi@PARODIUS.COM>
From: JDC <yoshi@PARODIUS.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.BSF.3.96.980812145107.21061A-100000@Tyr.office.EFN.org>;
from Ben on Wed, Aug 12, 1998 at 03:00:21PM -0700
On XX 08/12/1998 03:00:21PM, spy@TYR.OFFICE.EFN.ORG wrote:
> The ps(1) command for FreeBSD can be used to show environment variable for
> user proccesses running as you, or other users. While not a bug itself, this
> will allow you to view certain things, i.e. is root logged on?, FTP_SERVER,
> FTP_PASSWORD, or if the machine is a dialup box, and ppp is dialing at the
> time you execute ps(1) you will be able to view the password and login for
> their account. For privacy reasons I made patches that only allow ps(1) to
> show the proccesses for the user running it, making the '-a' flag go away,
> unless your uid or gid is 0.
Paranoia is not synonymous with security, nor is it synonymous
with "privacy."
Hacking ps to fix a security problem in ppp is not the solution:
fixing ppp is. ps(1)'s -a and -e flags were implemented for a
reason; to remove them is de-evolutionary.
tata.
--
| Jeremy Chadwick System Administrator |
| yoshi@parodius.com ICQ #6279222 |
| "Where is fancy bread? In the heart, or in the head?" - WW |
