[28408] in bugtraq
Re: ps information leak in FreeBSD
daemon@ATHENA.MIT.EDU (Sean Kelly)
Wed Jan 8 16:58:46 2003
Date: Wed, 8 Jan 2003 10:39:03 -0600
From: Sean Kelly <smkelly@zombie.org>
To: bugtraq@securityfocus.com, Jez Hancock <jez.hancock@munk.nu>
Message-ID: <20030108163902.GA31396@edgemaster.zombie.org>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="3V7upXqbjpZ4EhLz"
Content-Disposition: inline
In-Reply-To: <20030107091800.GC56102@users.munk.nu>
--3V7upXqbjpZ4EhLz
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Tue, Jan 07, 2003 at 09:18:00AM +0000, Jez Hancock wrote:
=2E..
> It's annoying in that I see a lot of users running mysql with the -u and =
-p options:
>=20
> mysql -u user -p mypassword
>=20
> on the commandline, thinking that this info will not show up in ps listin=
gs when ps
> is run by other users. Ho hum...
As has already been pointed out, this is something that the application
should deal with. Despite this, FreeBSD also has a sysctl knob which will
protect against this.
(2) root:~$ sysctl kern.ps_argsopen=3D0
kern.ps_argsopen: 1 -> 0
This will prevent exactly the problem you describe, by making arguments not
viewable to other users (excluding root). IT also appears to take effect in
/proc, such as /proc/<pid>/cmdline.
This is present in FreeBSD 4.7-STABLE, at least.
--=20
Sean Kelly | PGP KeyID: D2E5E296
smkelly@zombie.org | http://www.zombie.org
--3V7upXqbjpZ4EhLz
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)
iD8DBQE+HFQkPm7A9NLl4pYRAt0nAKCk5VFEQj2WjA2BZfs39vtUBS3JogCeOAk6
vWFGnPZOT6GKHyrNxeXSiww=
=fRZH
-----END PGP SIGNATURE-----
--3V7upXqbjpZ4EhLz--
