enables access to .config

Hi,

the linux kernel has the option
"Enable access to .config through /proc/config.gz"

This allows every user to read the kernel configuration.

Is this not dangerous on a public server like one at a
university where students connect to via ssh?

Chris

On 30.03.2005, Christian Christmann <plfriko@yahoo.de> wrote:
> the linux kernel has the option
> "Enable access to .config through /proc/config.gz"
>
> This allows every user to read the kernel configuration.
>
> Is this not dangerous on a public server like one at a
> university where students connect to via ssh?

If you have some kernel configuration options/patches that you wouldn't
like to show to students, then you should disable this option.
Did you chmod-ed /usr/src that students can't read
/usr/src/linux/.config? If not, then enabling this option won't disclose
any additional information to students.
After all, if you're using 2.6.x kernel (is it the case?) you can always
chmod /proc/config.gz.

--
Feel free to correct my English
Stanislaw Klekot

Stachu 'Dozzie' K. wrote:
> On 30.03.2005, Christian Christmann <plfriko@yahoo.de> wrote:
>
>>the linux kernel has the option
>>"Enable access to .config through /proc/config.gz"
>>
>>This allows every user to read the kernel configuration.
>>
>>Is this not dangerous on a public server like one at a
>>university where students connect to via ssh?
>
>
> If you have some kernel configuration options/patches that you wouldn't
> like to show to students, then you should disable this option.
> Did you chmod-ed /usr/src that students can't read
> /usr/src/linux/.config? If not, then enabling this option won't disclose
> any additional information to students.
> After all, if you're using 2.6.x kernel (is it the case?) you can always
> chmod /proc/config.gz.

I just disable it anytime I compile the kernel. I find it's
not useful for anything and it shows all your kernel
configuration. This can be bad if you are using patches like
grsecurity and you don't want to show them to your users.

Regards.

--

Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
-- Jack Kerouac, "On the Road"

On Wed, 30 Mar 2005 13:22:30 +0200, Christian Christmann wrote:
> Is this not dangerous on a public server like one at a
> university where students connect to via ssh?

So don't use the option.

--
Rolf Arne Schulze
Trans-atlantic weightloss challenge: http://tawlc.net/
Min Weblog: http://rolfas.net/

On 30.03.2005, Jose Maria Lopez Hernandez <jkerouac@bgsec.com> wrote:
> Stachu 'Dozzie' K. wrote:
>> On 30.03.2005, Christian Christmann <plfriko@yahoo.de> wrote:
>>
>>>the linux kernel has the option
>>>"Enable access to .config through /proc/config.gz"
>>>
>>>This allows every user to read the kernel configuration.
>>>
>>>Is this not dangerous on a public server like one at a
>>>university where students connect to via ssh?
>>
>>
>> If you have some kernel configuration options/patches that you wouldn't
>> like to show to students, then you should disable this option.
>> Did you chmod-ed /usr/src that students can't read
>> /usr/src/linux/.config? If not, then enabling this option won't disclose
>> any additional information to students.
>> After all, if you're using 2.6.x kernel (is it the case?) you can always
>> chmod /proc/config.gz.
>
> I just disable it anytime I compile the kernel. I find it's
> not useful for anything and it shows all your kernel
> configuration. This can be bad if you are using patches like
> grsecurity and you don't want to show them to your users.

But it might be useful when you have multiple machines, each with
different configuration. Remember that you can do
`chmod 600 /proc/config.gz'. Removing it can be useful only when you
expect that someone can got root on your machine and thus can read
config.gz, but he can also read kernel image from bootdisk, so it can be
not too big help.

--
Feel free to correct my English
Stanislaw Klekot

Stachu 'Dozzie' K. wrote:
> But it might be useful when you have multiple machines, each with
> different configuration. Remember that you can do
> `chmod 600 /proc/config.gz'. Removing it can be useful only when you
> expect that someone can got root on your machine and thus can read
> config.gz, but he can also read kernel image from bootdisk, so it can be
> not too big help.

Yes it can be useful if you've got multiple machines, but what
I don't see it's the reason to have this data in the kernel. You
can have it in a file in /etc for example.

It could be useful if you've got multiple machines with different
kernels and you change them very often.

But it's all just an opinion.

Regards.

--

Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
-- Jack Kerouac, "On the Road"

Jose Maria Lopez Hernandez <jkerouac@bgsec.com> writes:

>Stachu 'Dozzie' K. wrote:
>> But it might be useful when you have multiple machines, each with
>> different configuration. Remember that you can do
>> `chmod 600 /proc/config.gz'. Removing it can be useful only when you
>> expect that someone can got root on your machine and thus can read
>> config.gz, but he can also read kernel image from bootdisk, so it can be
>> not too big help.

>Yes it can be useful if you've got multiple machines, but what
>I don't see it's the reason to have this data in the kernel. You
>can have it in a file in /etc for example.

Under Mandrake, the info is kept in /boot. There is a config file for each
kernel, and a link to the config file for the "vmlinuz" (ie "default")
kernel. They have also switched off the /proc config. That would be useful
however for giving the config file for the currently running kernel
(instead of having to figure out which of the config files in /boot is
actually active at present)


>It could be useful if you've got multiple machines with different
>kernels and you change them very often.

>But it's all just an opinion.

>Regards.

>--

>Jose Maria Lopez Hernandez
>Director Tecnico de bgSEC
>jkerouac@bgsec.com
>bgSEC Seguridad y Consultoria de Sistemas Informaticos
>http://www.bgsec.com
>ESPAÑA

>The only people for me are the mad ones -- the ones who are mad to live,
>mad to talk, mad to be saved, desirous of everything at the same time,
>the ones who never yawn or say a commonplace thing, but burn, burn, burn
>like fabulous yellow Roman candles.
> -- Jack Kerouac, "On the Road"

Jose Maria Lopez Hernandez <jkerouac@bgsec.com> wrote:

> Yes it can be useful if you've got multiple machines, but what
> I don't see it's the reason to have this data in the kernel. You
> can have it in a file in /etc for example.

Even on a single machine it is useful if you have multiple *kernels*.
Not too common on a server, more so on laptops.

--
pa at panix dot com

Stachu 'Dozzie' K., mié20050330@18:41:59(CEST):
> On 30.03.2005, Jose Maria Lopez Hernandez <jkerouac@bgsec.com> wrote:
>>
>> This can be bad if you are using patches like
>> grsecurity and you don't want to show them to your users.

Just use the ACL system ;^).


> Remember that you can do `chmod 600 /proc/config.gz'.

No sense in writing to that file, so 400 would be wiser IMHO.


--
David Serrano