pmcd exports a lot of information from /proc, including full command lines ("proc.psargs"), /proc/*/maps ("proc.memory.maps"), and stack and instruction pointers ("proc.psinfo.esp", "proc.psinfo.eip"). Because pmcd runs as root, these files are available to all local users (and remote users if the firewall is disabled). This helps to bypass ASLR and could enable reliable code execution attacks, using another vulnerability. (The log file /var/log/pcp/pmcd/pmcd.log is world-readable and contains DSO mapping addresses. pmcd starts automatically when the pcp package is installed. It listens on 0.0.0.0 and does not require authentication.
There exist medium-term plans (a couple of months) to make pmcd use some less-privileged userid and/or pass authentication to the linux/proc pmda, so that sensitive data like this is not easily available.
I'm planning to migrate all 'proc' metrics (per-process) from the linux PMDA into a new 'proc' PMDA - this is probably the first step for this BZ. The new proc PMDA would be installed but not enabled by default. Also, as Frank mentioned, partially completed patches exist to optionally run pmcd as non-root and there are authentication plans underway too.
Created attachment 599902 [details] patch to split off a new "proc" agent from the "linux" agent Attached patch splits off a new "proc" PMDA from the Linux PMDA. The new PMDA is not enabled by default, thus resolving the issue reported in a default pcp installation. Commited in git://oss.sgi.com/markgw/pcp/pcp.git proc_pmda d9c696f1e999ef22828d7b1485634b0998573d9f 228d75bc7131251977df5ab33551e666920cfca9 f15378821b2d53ad00a8083653ea3ab4f8e63070 b28bb3bd72ef9d6bd538d991efec34f65374b7df 372b1b0d34ae2a0e1df5b6f4a6d2b1a54c90bef3 8ff4984fee93bab09ea5c68b7ee18d1ab715bea1 279950ec0f5bb70967b2d5260ac7f075b8187ca1 c20319d064af66dc5902661a3f05dccb24d7d177
(In reply to comment #4) > Created attachment 599902 [details] > patch to split off a new "proc" agent from the "linux" agent > > > Attached patch splits off a new "proc" PMDA from the Linux > PMDA. The new PMDA is not enabled by default, thus resolving > the issue reported in a default pcp installation. I looked at the remaining pmda_linux in the Git repository and couldn't spot any obvious leaks (assuming that neither the kernel nor pmcd updates statistics too often so that timing information from network traffic or interrupts isn't exposed). Totally unrelated: you read /proc/net/tcp, that's going to hurt big time on busy web servers and similar systems.
(In reply to comment #5) > (In reply to comment #4) > > Created attachment 599902 [details] > > patch to split off a new "proc" agent from the "linux" agent > > > > Attached patch splits off a new "proc" PMDA from the Linux > > PMDA. The new PMDA is not enabled by default, thus resolving > > the issue reported in a default pcp installation. > > I looked at the remaining pmda_linux in the Git repository and couldn't spot > any obvious leaks (assuming that neither the kernel nor pmcd updates > statistics too often so that timing information from network traffic or > interrupts isn't exposed). thanks > Totally unrelated: you read /proc/net/tcp, that's going to hurt big time on > busy web servers and similar systems. PCP uses a 'pull' model of metrics collection - nothing is fetched if there are no active clients - so this is no worse than running netstat. However we'll keep this in mind for archive logging - pmlogger allows different groups of metrics to be collected at different fetch frequencies, so the network.{tcp,tcpconn}.* metrics should be fetched at a much lower frequency than, say, the kernel.percpu metrics. Thanks -- Mark
Upstream patches: http://oss.sgi.com/cgi-bin/gitweb.cgi?p=pcp/pcp.git;a=commit;h=c20319d064af66dc5902661a3f05dccb24d7d177 http://oss.sgi.com/cgi-bin/gitweb.cgi?p=pcp/pcp.git;a=commit;h=279950ec0f5bb70967b2d5260ac7f075b8187ca1 http://oss.sgi.com/cgi-bin/gitweb.cgi?p=pcp/pcp.git;a=commit;h=8ff4984fee93bab09ea5c68b7ee18d1ab715bea1 http://oss.sgi.com/cgi-bin/gitweb.cgi?p=pcp/pcp.git;a=commit;h=372b1b0d34ae2a0e1df5b6f4a6d2b1a54c90bef3 http://oss.sgi.com/cgi-bin/gitweb.cgi?p=pcp/pcp.git;a=commit;h=b28bb3bd72ef9d6bd538d991efec34f65374b7df http://oss.sgi.com/cgi-bin/gitweb.cgi?p=pcp/pcp.git;a=commit;h=f15378821b2d53ad00a8083653ea3ab4f8e63070 http://oss.sgi.com/cgi-bin/gitweb.cgi?p=pcp/pcp.git;a=commit;h=228d75bc7131251977df5ab33551e666920cfca9 http://oss.sgi.com/cgi-bin/gitweb.cgi?p=pcp/pcp.git;a=commit;h=d9c696f1e999ef22828d7b1485634b0998573d9f This issue has been addressed in pcp-3.6.5
This issue was addressed in Fedora and EPEL via the following security updates: Fedora-16: https://admin.fedoraproject.org/updates/pcp-3.6.5-1.fc16 Fedora-17: https://admin.fedoraproject.org/updates/pcp-3.6.5-1.fc17 Rawhide: https://admin.fedoraproject.org/updates/pcp-3.6.5-1.fc18 EPEL-5: https://admin.fedoraproject.org/updates/pcp-3.6.5-1.el5 EPEL-6: https://admin.fedoraproject.org/updates/pcp-3.6.5-1.el6