Bug 246311 - [patch] procstat can't view current working directory (affects xfce4-terminal, linprocfs, ...)
Summary: [patch] procstat can't view current working directory (affects xfce4-terminal...
Status: Closed Not A Bug
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Many People
Assignee: freebsd-bugs (Nobody)
Keywords: patch
Depends on:
Reported: 2020-05-08 15:43 UTC by Damjan Jovanovic
Modified: 2020-10-14 15:45 UTC (History)
2 users (show)

See Also:

Decrease the procstat fd access restriction to PGET_CANSEE (827 bytes, patch)
2020-05-08 15:43 UTC, Damjan Jovanovic
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Damjan Jovanovic 2020-05-08 15:43:13 UTC
Created attachment 214280 [details]
Decrease the procstat fd access restriction to PGET_CANSEE

Currently "procstat fd [pid]" cannot view anything, even for other processes owned by the user making the call, not even their current working directory (CWD), unless it has PGET_CANDEBUG permission.

linprocfs however allows reading the CWD for any process because it doesn't perform that check (sys/compat/linprocfs/linprocfs.c, function linprocfs_doproccwd()).

Applications use this, eg. xfce4-terminal relies on /compat/linux/proc/<pid>/cwd to find the shell's CWD, so that when you open a new tab, it starts in the same CWD as the tab you opened it from (https://github.com/xfce-mirror/xfce4-terminal/blob/master/terminal/terminal-screen.c#L2343). I would like to patch xfce4-terminal to use libprocstat for that instead of needing linprocfs to be mounted, but since procstat is more restrictive, it will break it.

Can we please downgrade PGET_CANDEBUG to at least PGET_CANSEE, so you can view the CWD for processes you own? Maybe other open files still need to be hidden, but the CWD doesn't seem like a major security concern.

Linux's own /proc filesystem never hides the CWD (lrwxrwxrwx), and only hides file descriptors for processes you don't own.

The attached patch decreases the access restriction to PGET_CANSEE, and works as intended in my tests.
Comment 1 Conrad Meyer freebsd_committer 2020-05-09 18:53:08 UTC
Why is PGET_CANDEBUG a problem?
Comment 2 Mark Johnston freebsd_committer 2020-06-01 15:47:35 UTC
(In reply to Conrad Meyer from comment #1)
Indeed, I can't quite understand why PGET_CANDEBUG is a problem.

Can you see exactly what check is failing?  Does xfce4-terminal run as a different user than the shell?
Comment 3 Damjan Jovanovic 2020-06-10 06:06:19 UTC
(In reply to Mark Johnston from comment #2)

xfce4-terminal runs child shells as the same user, but PGET_CANDEBUG doesn't allow reading even the same user's file descriptors when security.bsd.unprivileged_proc_debug=0.

It really should be PGET_CANSEE, as you should be able to see your user's/group's processes and examine their file descriptors, like you can on Linux.
Comment 4 Conrad Meyer freebsd_committer 2020-06-10 06:32:22 UTC
I think you've identified the problem: don't set security.bsd.unprivileged_proc_debug if you want this functionality to work.  The point of that sysctl is to disable functionality like this.
Comment 5 Conrad Meyer freebsd_committer 2020-10-14 15:45:27 UTC
Clearing blocker relationship.  I don't think this has anything to do with linux(4).  Nor is it a bug.