Bug 840905

Summary: pmcd /proc information disclosure
Product: [Fedora] Fedora Reporter: Florian Weimer <fweimer>
Component: pcpAssignee: Mark Goodwin <mgoodwin>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 16CC: fche, kenj, mgoodwin, nathans, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: pcp-3.6.5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-08-20 00:02:59 EDT Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 840765, 841702    
Attachments:
Description Flags
patch to split off a new "proc" agent from the "linux" agent none

Description Florian Weimer 2012-07-17 10:46:59 EDT
pmcd exports a lot of information from /proc, including full command lines ("proc.psargs"), /proc/*/maps ("proc.memory.maps"), and stack and instruction pointers ("proc.psinfo.esp", "proc.psinfo.eip").  Because pmcd runs as root, these files are available to all local users (and remote users if the firewall is disabled).  This helps to bypass ASLR and could enable reliable code execution attacks, using another vulnerability.

(The log file /var/log/pcp/pmcd/pmcd.log is world-readable and contains DSO mapping addresses.

pmcd starts automatically when the pcp package is installed.  It listens on 0.0.0.0 and does not require authentication.
Comment 2 Frank Ch. Eigler 2012-07-17 15:53:05 EDT
There exist medium-term plans (a couple of months) to make pmcd use some less-privileged userid and/or pass authentication to the linux/proc pmda, so that sensitive data like this is not easily available.
Comment 3 Mark Goodwin 2012-07-18 23:23:37 EDT
I'm planning to migrate all 'proc' metrics (per-process) from the linux
PMDA into a new 'proc' PMDA - this is probably the first step for this
BZ. The new proc PMDA would be installed but not enabled by default.

Also, as Frank mentioned, partially completed patches exist to optionally
run pmcd as non-root and there are authentication plans underway too.
Comment 4 Mark Goodwin 2012-07-24 00:01:07 EDT
Created attachment 599902 [details]
patch to split off a new "proc" agent from the "linux" agent


Attached patch splits off a new "proc" PMDA from the Linux
PMDA. The new PMDA is not enabled by default, thus resolving
the issue reported in a default pcp installation.

Commited in git://oss.sgi.com/markgw/pcp/pcp.git proc_pmda
d9c696f1e999ef22828d7b1485634b0998573d9f 
228d75bc7131251977df5ab33551e666920cfca9
f15378821b2d53ad00a8083653ea3ab4f8e63070
b28bb3bd72ef9d6bd538d991efec34f65374b7df
372b1b0d34ae2a0e1df5b6f4a6d2b1a54c90bef3 
8ff4984fee93bab09ea5c68b7ee18d1ab715bea1 
279950ec0f5bb70967b2d5260ac7f075b8187ca1 
c20319d064af66dc5902661a3f05dccb24d7d177
Comment 5 Florian Weimer 2012-07-24 11:58:36 EDT
(In reply to comment #4)
> Created attachment 599902 [details]
> patch to split off a new "proc" agent from the "linux" agent
> 
> 
> Attached patch splits off a new "proc" PMDA from the Linux
> PMDA. The new PMDA is not enabled by default, thus resolving
> the issue reported in a default pcp installation.

I looked at the remaining pmda_linux in the Git repository and couldn't spot any obvious leaks (assuming that neither the kernel nor pmcd updates statistics too often so that timing information from network traffic or interrupts isn't exposed).

Totally unrelated: you read /proc/net/tcp, that's going to hurt big time on busy web servers and similar systems.
Comment 6 Mark Goodwin 2012-07-25 01:59:18 EDT
(In reply to comment #5)
> (In reply to comment #4)
> > Created attachment 599902 [details]
> > patch to split off a new "proc" agent from the "linux" agent
> >
> > Attached patch splits off a new "proc" PMDA from the Linux
> > PMDA. The new PMDA is not enabled by default, thus resolving
> > the issue reported in a default pcp installation.
> 
> I looked at the remaining pmda_linux in the Git repository and couldn't spot
> any obvious leaks (assuming that neither the kernel nor pmcd updates
> statistics too often so that timing information from network traffic or
> interrupts isn't exposed).

thanks

> Totally unrelated: you read /proc/net/tcp, that's going to hurt big time on
> busy web servers and similar systems.

PCP uses a 'pull' model of metrics collection - nothing is fetched if there
are no active clients - so this is no worse than running netstat. However
we'll keep this in mind for archive logging - pmlogger allows different
groups of metrics to be collected at different fetch frequencies, so the
network.{tcp,tcpconn}.* metrics should be fetched at a much lower frequency than, say, the kernel.percpu metrics.

Thanks
-- Mark