From: Enrico Scholz (enrico.scholz_at_informatik.tu-chemnitz.de)
Date: Tue 23 Mar 2004 - 02:32:07 GMT
herbert_at_13thfloor.at (Herbert Poetzl) writes:
> did a quick, first impression classification on those
> entries, so it is a start, but nothing final, and YMMV
>
> /proc/net/ (C)
required at least for firewall- or VPN-setup vservers
> -/proc/net/rpc/ (D)
proof-of-concept code ;) there is probably no need to remove this entry,
but this directory seems to be good for testing the '-' prefix without
destroying too much functionality...
> -/proc/sys/debug/ (D)
> -/proc/sys/dev/ (D)
ditti
> /proc/kcore (D)
> /proc/kmsg (C)
> /proc/ksyms (C)
protected by CAP_SYS_ADMIN
> (B) ... not required, leaks host info
I do not think that this is a real problem; most parameters can be
determined in other ways also. So hiding the /proc entries would not
increase security.
> (C) ... critical, might pose a security risk
> (D) ... dangerous, might be used for DoS
Capability system should and must give enough protection; there are a few
entries (sysrq-triggers and scsi) which need the extra vproc wrapper. But
this schould be the exception not the rule...
Enrico
_______________________________________________
Vserver mailing list
Vserver_at_list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver