Security
Today I made available a 3.2.0 kernel for my KVM guest which has a bastardised version of the PID hiding patch configured:
- procfs: add hidepid= and gid= mount options
- bugfix - proc: fix null pointer deref in proc_pid_permission()
So now on my guest, as myself, I can only see this:
steve@steve:~$ ls -l /proc/ | egrep ' [0-9]+$' dr-xr-xr-x 7 steve users 0 Jan 13 17:22 15150 dr-xr-xr-x 7 steve users 0 Jan 13 17:29 15739 dr-xr-xr-x 7 steve users 0 Jan 13 17:29 15740 lrwxrwxrwx 1 root root 64 Jan 13 17:20 self -> 15739Running as root I see the full tree:
steve:~# ls -l /proc/ | egrep ' [0-9]+$' total 0 dr-xr-xr-x 7 root root 0 Jan 13 17:20 1 dr-xr-xr-x 7 root root 0 Jan 13 17:20 1052 dr-xr-xr-x 7 root root 0 Jan 13 17:20 1086 dr-xr-xr-x 7 root root 0 Jan 13 17:20 1101 dr-xr-xr-x 7 root root 0 Jan 13 17:20 1104 dr-xr-xr-x 7 root root 0 Jan 13 17:21 1331 dr-xr-xr-x 7 pdnsd proxy 0 Jan 13 17:21 14409 dr-xr-xr-x 7 root root 0 Jan 13 17:21 14519 ..This (obviously) affects output from top etc too. It is a neat feature which I think is worth having, but time will tell..
mod_ifier
A long time ago I put together an Apache module which allowed the evaluation of security rules against incoming HTTP requests. mod_ifier was largely ignored by the world. But this week it did receive a little attention.
The recent rash of Hash Collision attacks inspired inspired a fork with parameter filtering. Neat.
Otherwise nothing too much to report - though I guess I didn't actually share the link to the RESTful file store I mentioned previously. Should you care you can find it here:
ObQuote: "I saw a man, he danced with his wife" - Chicago, Frank Sinatra
Tags: mod_ifier, proc, security 2 comments