Re: ps doesn't need privileges?

Sat, 11 Sep 1999 09:47:57 -0700 

Chris Costello wrote:
> On Sat, Sep 11, 1999, Blaz Zupan wrote:
> > /home/blaz> id
> > uid=1000(blaz) gid=1000(users) groups=1000(users)
> > /home/blaz> ls -l /dev/kmem
> > crw-r-----  1 root  kmem    2,   1 May 23 15:26 /dev/kmem
> 
>    Oh.  ps doesn't use /dev/kmem.
> 
>    Look at a ktrace of it; it works just as it should.  /tmp/ps
> auwwx prints what it should and the ktrace output shows it opens
> the processes whose memory it can read (as ``nobody'' I could
> read httpd processes, my ksh process and my ps process) and
> errors for those it cannot:
> 
>   8290 ps       CALL  __sysctl(0xbfbfc944,0x4,0xbfbfc954,0xbfbfc940,0,0)
>   8290 ps       RET   __sysctl 0
>   8290 ps       CALL  open(0xbfbfc878,0,0)
>   8290 ps       NAMI  "/proc/7997/mem"
>   8290 ps       RET   open -1 errno 13 Permission denied
>   8290 ps       CALL  close(0xffffffff)
>   8290 ps       RET   close -1 errno 9 Bad file descriptor

Not quite.  It uses sysctl(2) to grab the eproc table, which contains most
of the data.  It then uses procfs to get things like the command arguments
(which have to come from the process address space) and so on.

It also means that ps can see your *own* processes and their full command
args:

/tmp/ps -aux
....
peter   63399  0.0  0.1   600  256  pt  Is+   6:46PM   0:00.01 /bin/sh /home/pe
root    63402  0.0  0.5  1544 1160  pt  I+   -         0:00.00  (ssh1)
nobody  68421  0.0  0.6  4240 1428  ??  I    -         0:00.00  (apache)
root    68535  0.0  1.5  4588 3744  ??  I    -         0:00.00  (xterm)
peter   68536  0.0  0.4  1492 1076  pu  Is    8:44PM   0:00.10 -csh (tcsh)
peter   98319  0.0  0.4  1412 1096  p8  T    10:14PM   0:00.05 vi sb.c
peter   98893  0.0  0.4  1412 1096  pu  I+   12:38AM   0:00.30 vi asm.h
peter   98997  0.0  0.4  1404 1060  pd  I+    1:11AM   0:00.10 vi swtch.s
postfix 99059  0.0  0.2   884  564  ??  I    -         0:00.00  (pickup)
....
in the example above, my processes are visible but non-peter ones are just
their basename.

Now that I think about it, it shouldn't be too hard (TM) to finish off the
/proc/pid/cmdline stuff so that ps didn't need to access /mem and didn't
need setgid at all.

Cheers,
-Peter
--
Peter Wemm - [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]



To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message

Reply via email to