[ubuntu-hardened] procfs: change /proc/*/{pagemap, stack, syscall, personality} files mode to 0400.
Daniel Curtis
sidetripping at gmail.com
Sun Feb 1 12:07:56 UTC 2015
Hello
Linux kernel (v3.14) contains interesting changes for:
/proc/*/pagemap, which contain sensitive information etc.
Its mode was 0444 but after commit[1] it changed to
0400.
RESULT: according to the commit description, this reduces
the scope of address space leaking and bypasses by
protecting already running processes.
Another procfs files (/proc/*/{stack,syscall,personality})
contain sensitive information and their mode was 0444 also.
After commit[2] it changed to 0400.
RESULT: this reduces the scope of ASLR leaking and bypasses
by protecting already running processes.
I would like to ask if I should made similar changes in Xubuntu
12.04 LTS with 3.2 Linux kernel? I think about using "chmod
method" on these files, e.g.:
# chmod 0400 /proc/*/pagemap
# chmod 0400 /proc/*/{stack,syscall,personality}
What do you think about this? It's a good idea?
Best regards.
____________
[1] 32ed74a4b968a4faff7aaaff557035ce5d5e70ab
[2] 35a35046e4f9d8849e727b0e0f6edac0ece4ca6e
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-hardened/attachments/20150201/58083c0a/attachment.html>
More information about the ubuntu-hardened
mailing list