Bug 840905
| Summary: | pmcd /proc information disclosure | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Florian Weimer <fweimer> | ||||
| Component: | pcp | Assignee: | Mark Goodwin <mgoodwin> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 16 | CC: | fche, kenj, mgoodwin, nathans, security-response-team | ||||
| Target Milestone: | --- | Keywords: | Security | ||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | pcp-3.6.5 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2012-08-20 04:02:59 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 840765, 841702 | ||||||
| Attachments: |
|
||||||
There exist medium-term plans (a couple of months) to make pmcd use some less-privileged userid and/or pass authentication to the linux/proc pmda, so that sensitive data like this is not easily available. I'm planning to migrate all 'proc' metrics (per-process) from the linux PMDA into a new 'proc' PMDA - this is probably the first step for this BZ. The new proc PMDA would be installed but not enabled by default. Also, as Frank mentioned, partially completed patches exist to optionally run pmcd as non-root and there are authentication plans underway too. Created attachment 599902 [details]
patch to split off a new "proc" agent from the "linux" agent
Attached patch splits off a new "proc" PMDA from the Linux
PMDA. The new PMDA is not enabled by default, thus resolving
the issue reported in a default pcp installation.
Commited in git://oss.sgi.com/markgw/pcp/pcp.git proc_pmda
d9c696f1e999ef22828d7b1485634b0998573d9f
228d75bc7131251977df5ab33551e666920cfca9
f15378821b2d53ad00a8083653ea3ab4f8e63070
b28bb3bd72ef9d6bd538d991efec34f65374b7df
372b1b0d34ae2a0e1df5b6f4a6d2b1a54c90bef3
8ff4984fee93bab09ea5c68b7ee18d1ab715bea1
279950ec0f5bb70967b2d5260ac7f075b8187ca1
c20319d064af66dc5902661a3f05dccb24d7d177
(In reply to comment #4) > Created attachment 599902 [details] > patch to split off a new "proc" agent from the "linux" agent > > > Attached patch splits off a new "proc" PMDA from the Linux > PMDA. The new PMDA is not enabled by default, thus resolving > the issue reported in a default pcp installation. I looked at the remaining pmda_linux in the Git repository and couldn't spot any obvious leaks (assuming that neither the kernel nor pmcd updates statistics too often so that timing information from network traffic or interrupts isn't exposed). Totally unrelated: you read /proc/net/tcp, that's going to hurt big time on busy web servers and similar systems. (In reply to comment #5) > (In reply to comment #4) > > Created attachment 599902 [details] > > patch to split off a new "proc" agent from the "linux" agent > > > > Attached patch splits off a new "proc" PMDA from the Linux > > PMDA. The new PMDA is not enabled by default, thus resolving > > the issue reported in a default pcp installation. > > I looked at the remaining pmda_linux in the Git repository and couldn't spot > any obvious leaks (assuming that neither the kernel nor pmcd updates > statistics too often so that timing information from network traffic or > interrupts isn't exposed). thanks > Totally unrelated: you read /proc/net/tcp, that's going to hurt big time on > busy web servers and similar systems. PCP uses a 'pull' model of metrics collection - nothing is fetched if there are no active clients - so this is no worse than running netstat. However we'll keep this in mind for archive logging - pmlogger allows different groups of metrics to be collected at different fetch frequencies, so the network.{tcp,tcpconn}.* metrics should be fetched at a much lower frequency than, say, the kernel.percpu metrics. Thanks -- Mark Upstream patches: http://oss.sgi.com/cgi-bin/gitweb.cgi?p=pcp/pcp.git;a=commit;h=c20319d064af66dc5902661a3f05dccb24d7d177 http://oss.sgi.com/cgi-bin/gitweb.cgi?p=pcp/pcp.git;a=commit;h=279950ec0f5bb70967b2d5260ac7f075b8187ca1 http://oss.sgi.com/cgi-bin/gitweb.cgi?p=pcp/pcp.git;a=commit;h=8ff4984fee93bab09ea5c68b7ee18d1ab715bea1 http://oss.sgi.com/cgi-bin/gitweb.cgi?p=pcp/pcp.git;a=commit;h=372b1b0d34ae2a0e1df5b6f4a6d2b1a54c90bef3 http://oss.sgi.com/cgi-bin/gitweb.cgi?p=pcp/pcp.git;a=commit;h=b28bb3bd72ef9d6bd538d991efec34f65374b7df http://oss.sgi.com/cgi-bin/gitweb.cgi?p=pcp/pcp.git;a=commit;h=f15378821b2d53ad00a8083653ea3ab4f8e63070 http://oss.sgi.com/cgi-bin/gitweb.cgi?p=pcp/pcp.git;a=commit;h=228d75bc7131251977df5ab33551e666920cfca9 http://oss.sgi.com/cgi-bin/gitweb.cgi?p=pcp/pcp.git;a=commit;h=d9c696f1e999ef22828d7b1485634b0998573d9f This issue has been addressed in pcp-3.6.5 This issue was addressed in Fedora and EPEL via the following security updates: Fedora-16: https://admin.fedoraproject.org/updates/pcp-3.6.5-1.fc16 Fedora-17: https://admin.fedoraproject.org/updates/pcp-3.6.5-1.fc17 Rawhide: https://admin.fedoraproject.org/updates/pcp-3.6.5-1.fc18 EPEL-5: https://admin.fedoraproject.org/updates/pcp-3.6.5-1.el5 EPEL-6: https://admin.fedoraproject.org/updates/pcp-3.6.5-1.el6 |
pmcd exports a lot of information from /proc, including full command lines ("proc.psargs"), /proc/*/maps ("proc.memory.maps"), and stack and instruction pointers ("proc.psinfo.esp", "proc.psinfo.eip"). Because pmcd runs as root, these files are available to all local users (and remote users if the firewall is disabled). This helps to bypass ASLR and could enable reliable code execution attacks, using another vulnerability. (The log file /var/log/pcp/pmcd/pmcd.log is world-readable and contains DSO mapping addresses. pmcd starts automatically when the pcp package is installed. It listens on 0.0.0.0 and does not require authentication.