About this list Date view Thread view Subject view Author view Attachment view

From: Enrico Scholz (enrico.scholz_at_informatik.tu-chemnitz.de)
Date: Tue 23 Mar 2004 - 02:32:07 GMT


herbert_at_13thfloor.at (Herbert Poetzl) writes:

> did a quick, first impression classification on those
> entries, so it is a start, but nothing final, and YMMV
>
> /proc/net/ (C)

required at least for firewall- or VPN-setup vservers

> -/proc/net/rpc/ (D)

proof-of-concept code ;) there is probably no need to remove this entry,
but this directory seems to be good for testing the '-' prefix without
destroying too much functionality...

> -/proc/sys/debug/ (D)
> -/proc/sys/dev/ (D)

ditti

> /proc/kcore (D)
> /proc/kmsg (C)
> /proc/ksyms (C)

protected by CAP_SYS_ADMIN

> (B) ... not required, leaks host info

I do not think that this is a real problem; most parameters can be
determined in other ways also. So hiding the /proc entries would not
increase security.

> (C) ... critical, might pose a security risk
> (D) ... dangerous, might be used for DoS

Capability system should and must give enough protection; there are a few
entries (sysrq-triggers and scsi) which need the extra vproc wrapper. But
this schould be the exception not the rule...

Enrico
_______________________________________________
Vserver mailing list
Vserver_at_list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver


About this list Date view Thread view Subject view Author view Attachment view
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Tue 23 Mar 2004 - 02:33:02 GMT by hypermail 2.1.3