<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Thank you Jim. <br>
<br>
I'm incomprehending at to why such was instigated to begin with :-{<br>
<br>
Cordially,<br>
<br>
Courtney<br>
<br>
<br>
On 02/08/12 08:43, Jim Kinney wrote:
<blockquote
cite="mid:CAEo=5Pw_m6oSdepuSn7kPyBuGe6QW_C0=pSh2EVJBGdyBDt+xA@mail.gmail.com"
type="cite">
<p>To sum up, /proc is not a place where humans write. It is
literally a view into kernel processes.<br>
There are some runtime variables that can be tweaked by admins.
For most situations these are best handled by sysctl. Most, if
not all of these, have been relocated to /sys (or I have this
all wrong and backwards between sys and proc).</p>
<div class="gmail_quote">On Feb 7, 2012 6:51 PM, "Michael H.
Warfield" <<a moz-do-not-send="true"
href="mailto:mhw@wittsend.com">mhw@wittsend.com</a>> wrote:<br
type="attribution">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
On Tue, 2012-02-07 at 11:46 -0500, Courtney Thomas wrote:<br>
> Jim,<br>
><br>
> As always.... thanks for your reply.<br>
><br>
> You were correct that kvm was apparently attempting to
write to /proc~.<br>
><br>
> The puzzle for me is that... there is no /proc/~/mem to
which to write,<br>
> but... apparently this is not permissible by design, as
I'm not allowed<br>
> to change /proc's 555 permissions.<br>
><br>
> Can /proc's permissions be changed from 555 to, say, 755,
and if so how;<br>
> for when I attempt this I get the error that "this is not
supported" ? I<br>
> must say, though, that /proc is the only subdir in it's
dir whose<br>
> permissions are not set 755.<br>
<br>
It will not help. /proc/.../mem is special and there was
recently a<br>
security advisory on how it was handled in 2.6.29 and above
(2.6.26 if<br>
you are on RedHat 6.2 / CentOS 6.2 / SL 6.2). Permission to
write<br>
to /proc/.../mem was only recently enabled at all and then
restricted to<br>
some very specific circumstances (self and certain tracing /
debugging<br>
functions). Unfortunately, the handling of those
circumstances proved<br>
to be flawed resulting in an escalation of privilege by a
local user on<br>
the system, which Linus then quickly fixed.<br>
<br>
<a moz-do-not-send="true"
href="http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc"
target="_blank">http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=e268337dfe26dfc7efd422a804dbb27977a3cccc</a><br>
<a moz-do-not-send="true"
href="http://www.computerworld.com/s/article/9223675/Linux_vendors_rush_to_patch_privilege_escalation_flaw_after_root_exploits_emerge"
target="_blank">http://www.computerworld.com/s/article/9223675/Linux_vendors_rush_to_patch_privilege_escalation_flaw_after_root_exploits_emerge</a><br>
<a moz-do-not-send="true"
href="https://rhn.redhat.com/errata/RHSA-2012-0052.html"
target="_blank">https://rhn.redhat.com/errata/RHSA-2012-0052.html</a><br>
<a moz-do-not-send="true"
href="https://www.redhat.com/security/data/cve/CVE-2012-0056.html"
target="_blank">https://www.redhat.com/security/data/cve/CVE-2012-0056.html</a><br>
<br>
In kernel space, we do not honor permissions, we enforce them.
If the<br>
code path says "if foo then return error = EPERM" your screwed
no matter<br>
what you set the permissions to.<br>
<br>
If you want to read a really detailed analysis of what it
takes to<br>
exploit this and just how convoluted these exploits can be you
can check<br>
out this blog posting here (includes a link to proof of
concept exploit<br>
code)...<br>
<br>
<a moz-do-not-send="true" href="http://blog.zx2c4.com/749"
target="_blank">http://blog.zx2c4.com/749</a><br>
<br>
> More mystifyingly... there are other entries that ARE
written to in<br>
> /proc's subdirs. Huh ? I assumed, apparently wrongly,
that if a dir's<br>
> permissions disallowed writing, then it's subdirs would
also not allow<br>
> writing.<br>
><br>
> I am also disallowed from changing proc's 'chown'.<br>
><br>
> Finally, when I - cat /proc/version - I get that Linux
is version<br>
> 2.6.16. Does this tell you anything ?<br>
><br>
> Bedazzled and befuddled, as usual :-)<br>
><br>
> Courtney<br>
><br>
><br>
> On 02/06/12 19:27, Jim Kinney wrote:<br>
> ><br>
> > The first looks like kvm thinks it should be doing
something. If you<br>
> > aren't running a kvm based server, disable kvm.<br>
> > The sendmail issue os literally the daemon can't
write the file.<br>
> > Either disk full or permission error. For unknown
reasons sometimes<br>
> > the var/mail becomes not gtoup writeable. A perm
change fixed it and<br>
> > it didn't reappear.<br>
> ><br>
> > On Feb 6, 2012 1:13 PM, "Courtney Thomas"<br>
> > <<a moz-do-not-send="true"
href="mailto:courtneycthomas@bellsouth.net">courtneycthomas@bellsouth.net</a>
<mailto:<a moz-do-not-send="true"
href="mailto:courtneycthomas@bellsouth.net">courtneycthomas@bellsouth.net</a>>><br>
> > wrote:<br>
> ><br>
> > What is the significance of this error which is
regularly appearing in<br>
> > /var/log/messages along with.....<br>
> ><br>
> > kvm_getenvv<br>
> ><br>
> > failed ?<br>
> ><br>
> > This is apparently aroused by gnome's
"console-kit-daemon"<br>
> ><br>
> >
______________________________________________________________________________________________<br>
> ><br>
> ><br>
> > I'm also getting what I assume is a sendmail
complaint as follows:<br>
> ><br>
> > sm-mta cannot write .q###############:
permission denied.<br>
> ><br>
> > How can I resolve this as well, pleasely,<br>
> ><br>
> > C.Thomas<br>
> > _______________________________________________<br>
> > Ale mailing list<br>
> > <a moz-do-not-send="true"
href="mailto:Ale@ale.org">Ale@ale.org</a> <mailto:<a
moz-do-not-send="true" href="mailto:Ale@ale.org">Ale@ale.org</a>><br>
> > <a moz-do-not-send="true"
href="http://mail.ale.org/mailman/listinfo/ale"
target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
> > See JOBS, ANNOUNCE and SCHOOLS lists at<br>
> > <a moz-do-not-send="true"
href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
> ><br>
> ><br>
> ><br>
> > _______________________________________________<br>
> > Ale mailing list<br>
> > <a moz-do-not-send="true" href="mailto:Ale@ale.org">Ale@ale.org</a><br>
> > <a moz-do-not-send="true"
href="http://mail.ale.org/mailman/listinfo/ale"
target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
> > See JOBS, ANNOUNCE and SCHOOLS lists at<br>
> > <a moz-do-not-send="true"
href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
><br>
><br>
> _______________________________________________<br>
> Ale mailing list<br>
> <a moz-do-not-send="true" href="mailto:Ale@ale.org">Ale@ale.org</a><br>
> <a moz-do-not-send="true"
href="http://mail.ale.org/mailman/listinfo/ale"
target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
> See JOBS, ANNOUNCE and SCHOOLS lists at<br>
> <a moz-do-not-send="true"
href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
<br>
--<br>
Michael H. Warfield (AI4NB) | <a moz-do-not-send="true"
href="tel:%28770%29%20985-6132" value="+17709856132">(770)
985-6132</a> | <a class="moz-txt-link-abbreviated" href="mailto:mhw@WittsEnd.com">mhw@WittsEnd.com</a><br>
/\/\|=mhw=|\/\/ | <a moz-do-not-send="true"
href="tel:%28678%29%20463-0932" value="+16784630932">(678)
463-0932</a> | <a moz-do-not-send="true"
href="http://www.wittsend.com/mhw/" target="_blank">http://www.wittsend.com/mhw/</a><br>
NIC whois: MHW9 | An optimist believes we live in
the best of all<br>
PGP Key: 0x674627FF | possible worlds. A pessimist is
sure of it!<br>
<br>
_______________________________________________<br>
Ale mailing list<br>
<a moz-do-not-send="true" href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a moz-do-not-send="true"
href="http://mail.ale.org/mailman/listinfo/ale"
target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a moz-do-not-send="true"
href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
<br>
</blockquote>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Ale mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Ale@ale.org">Ale@ale.org</a>
<a class="moz-txt-link-freetext" href="http://mail.ale.org/mailman/listinfo/ale">http://mail.ale.org/mailman/listinfo/ale</a>
See JOBS, ANNOUNCE and SCHOOLS lists at
<a class="moz-txt-link-freetext" href="http://mail.ale.org/mailman/listinfo">http://mail.ale.org/mailman/listinfo</a>
</pre>
</blockquote>
<br>
</body>
</html>