246311 – [patch] procstat can't view current working directory (affects xfce4-terminal, linprocfs, ...)

Bug 246311 - [patch] procstat can't view current working directory (affects xfce4-terminal, linprocfs, ...)

Summary: [patch] procstat can't view current working directory (affects xfce4-terminal...

Status:	Closed Not A Bug

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	kern (show other bugs)
Version:	CURRENT
Hardware:	Any Any

Importance:	--- Affects Many People
Assignee:	freebsd-bugs (Nobody)

URL:
Keywords:	patch

Depends on:
Blocks:

Reported:	2020-05-08 15:43 UTC by Damjan Jovanovic
Modified:	2020-10-14 15:45 UTC (History)
CC List:	2 users (show)

See Also:

Attachments
Decrease the procstat fd access restriction to PGET_CANSEE (827 bytes, patch) 2020-05-08 15:43 UTC, Damjan Jovanovic	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Damjan Jovanovic 2020-05-08 15:43:13 UTC

Created attachment 214280 [details]
Decrease the procstat fd access restriction to PGET_CANSEE

Currently "procstat fd [pid]" cannot view anything, even for other processes owned by the user making the call, not even their current working directory (CWD), unless it has PGET_CANDEBUG permission.

linprocfs however allows reading the CWD for any process because it doesn't perform that check (sys/compat/linprocfs/linprocfs.c, function linprocfs_doproccwd()).

Applications use this, eg. xfce4-terminal relies on /compat/linux/proc/<pid>/cwd to find the shell's CWD, so that when you open a new tab, it starts in the same CWD as the tab you opened it from (https://github.com/xfce-mirror/xfce4-terminal/blob/master/terminal/terminal-screen.c#L2343). I would like to patch xfce4-terminal to use libprocstat for that instead of needing linprocfs to be mounted, but since procstat is more restrictive, it will break it.

Can we please downgrade PGET_CANDEBUG to at least PGET_CANSEE, so you can view the CWD for processes you own? Maybe other open files still need to be hidden, but the CWD doesn't seem like a major security concern.

Linux's own /proc filesystem never hides the CWD (lrwxrwxrwx), and only hides file descriptors for processes you don't own.

The attached patch decreases the access restriction to PGET_CANSEE, and works as intended in my tests.

Comment 1 Conrad Meyer freebsd_committer

2020-05-09 18:53:08 UTC

Why is PGET_CANDEBUG a problem?

Comment 2 Mark Johnston freebsd_committer

2020-06-01 15:47:35 UTC

(In reply to Conrad Meyer from comment #1)
Indeed, I can't quite understand why PGET_CANDEBUG is a problem.

Can you see exactly what check is failing?  Does xfce4-terminal run as a different user than the shell?

Comment 3 Damjan Jovanovic 2020-06-10 06:06:19 UTC

(In reply to Mark Johnston from comment #2)

xfce4-terminal runs child shells as the same user, but PGET_CANDEBUG doesn't allow reading even the same user's file descriptors when security.bsd.unprivileged_proc_debug=0.

It really should be PGET_CANSEE, as you should be able to see your user's/group's processes and examine their file descriptors, like you can on Linux.

Comment 4 Conrad Meyer freebsd_committer

2020-06-10 06:32:22 UTC

I think you've identified the problem: don't set security.bsd.unprivileged_proc_debug if you want this functionality to work.  The point of that sysctl is to disable functionality like this.

Comment 5 Conrad Meyer freebsd_committer

2020-10-14 15:45:27 UTC

Clearing blocker relationship.  I don't think this has anything to do with linux(4).  Nor is it a bug.