[7666] in bugtraq
Re: ps(1) for freebsd.
daemon@ATHENA.MIT.EDU (Scott Smith)
Thu Aug 13 23:13:29 1998
Date: Thu, 13 Aug 1998 18:35:50 -0700
Reply-To: Scott Smith <scotts@cybersource.com>
From: Scott Smith <scotts@CYBERSOURCE.COM>
X-To: JDC <yoshi@PARODIUS.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <19980813154842.A3110@parodius.com>
> Paranoia is not synonymous with security, nor is it synonymous
> with "privacy."
>
> Hacking ps to fix a security problem in ppp is not the solution:
> fixing ppp is. ps(1)'s -a and -e flags were implemented for a
> reason; to remove them is de-evolutionary.
Agreed, but one could associate the ability as an unprivledged user to
read *other* users' environment variables with the finger(1) bug that allowed
users to read arbitraty files (or the sendmail uuencode bug, or ...). The only
difference is that the target is not a file, it is an environment variable.
There is a reason I make my shell's rc files mode 0700 and have a umask
of 077, and paranoia/security laziness are *not* why. :)
Scott
--
scott@cybersource.com
UNIX Sysadmin, CyberSource (ext. 6093)
"My manager, after having poked his head into my area for the 10th time today,
said, `I just can never understand how sysadmins can work effectively with
people breathing down their necks.'" - a friend
