summaryrefslogtreecommitdiff
path: root/hurd/translator/procfs/jkoenig/discussion.mdwn
blob: e7fdf46e63128800d9cceff37212f1368edae4fd (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
[[!meta copyright="Copyright © 2010, 2011, 2012 Free Software Foundation,
Inc."]]

[[!meta license="""[[!toggle id="license" text="GFDL 1.2+"]][[!toggleable
id="license" text="Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version 1.2 or
any later version published by the Free Software Foundation; with no Invariant
Sections, no Front-Cover Texts, and no Back-Cover Texts.  A copy of the license
is included in the section entitled [[GNU Free Documentation
License|/fdl]]."]]"""]]

[[!tag open_issue_hurd]]

[[!toc]]


# Miscellaneous

IRC, #hurd, around September 2010

    <youpi> jkoenig: from a quick read, your procfs implementation seems quite
      simple, probably much more what I was expecting from Madhusudan (who
      probably now hates you :) )
    <youpi> jkoenig: is it not possible to provide a /proc/self which points at
      the client's pid?
    <pinotree> (also, shouldn't /proc/version say something else than "Linux"?)
    <youpi> to make linux tools work, no :/
    <youpi> kfreebsd does that too
    <pinotree> really?
    <youpi> yes
    <youpi> (kfreebsd, not freebsd)
    <pinotree> does kbsd's one print just "Linux version x.y.z" too, or
      something more eg in a second line?
    <pinotree> (as curiosity)
    <youpi> % cat /proc/version
    <youpi> Linux version 2.6.16 (des@freebsd.org) (gcc version 4.3.5) #4 Sun
      Dec 18 04:30:00 CET 1977
    <pinotree> k
    <giselher> I had some problems with killall5 to read the pid from /proc, Is
      this now more reliable?
    <youpi> I haven't tested with jkoenig's implementation
    [...]
    <pinotree> looks like he did 'self' too, see rootdir_entries[] in rootdir.c
    <youpi> but it doesn't point at self
    <antrik> youpi: there is no way to provide /proc/self, because the server
      doesn't know the identity of the client
    <youpi> :/
    <antrik> youpi: using the existing mechanisms, we would need another magic
      lookup type
    <antrik> an alternative idea I discussed with cfhammer once would be for
      the client to voluntarily provide it's identity to the server... but that
      would be a rather fundamental change that requires careful consideration
    <antrik> also, object migration could be used, so the implementation would
      be provided by the server, but the execution would happen in the
      client... but that's even more involved :-)
    <youpi> but we've seen how much that'd help with a lot of other stuff
    <antrik> I'm not sure whether we discussed this on the ML at some point, or
      only on IRC
    <youpi> it "just" needs to be commited :)
    <antrik> in either case, it can't hurt to bring this up again :-)


# root group

IRC, #hurd, around October 2010

    <pinotree> the only glitch is that files/dirs have the right user as
      owner, but always with root group


# `/proc/$pid/stat` being 400 and not 444, and some more

IRC, freenode, #hurd, 2011-03-27

    <pochu> is there a reason for /proc/$pid/stat to be 400 and not 444 like on
      Linux?
    <pochu> there is an option to procfs to make it 444 like Linux
    <pochu> jkoenig: ^
    <jkoenig> pochu, hi
    <jkoenig> /proc/$pid/stat reveals information which is not usually
      available on Hurd
    <jkoenig> so I made it 400 by default to avoid leaking anything
    <pochu> is there a security risk in providing that info?
    <jkoenig> probably not so much, but it seemed like it's not really a
      descision procfs should make
    <jkoenig> I'm not sure which information we're speaking about, though, I
      just remember the abstract reason.
    <pochu> things like the pid, the memory, the priority, the state...
    <pochu> sounds safe to expose
    <jkoenig> also it's 0444 by default in "compatible" mode
    <jkoenig> (which is necessary for the linux tools to work well)
    <pochu> yeah I saw that :)
    <pochu> my question is, should we change it to 0444 by default? if there
      are no security risks and this improves compatibility, sounds like a good
      thing to me
    <pochu> we're already 'leaking' part of that info through e.g. ps
    <jkoenig> I think /proc should be translated by /hurd/procfs --compatible
      by default (I'm not sure whether it's already the case)
    <jkoenig> also I'm not sure why hurd-ps is setuid root, rather than the
      proc server being less paranoid, but maybe I'm missing something.
    <pochu> jkoenig: it's not, at least not on Debian
    <pochu> youpi: hi, what do you think about starting procfs with
      --compatible by default?
    <pochu> youpi: or changing /proc/$pid/stat to 0444 like on Linux
      (--compatible does that among a few other things)
    <youpi> I guess you need it for something?
    <pochu> I'm porting libgtop :)
    <youpi> k
    <pochu> though I still think we should do this in procfs itself
    <youpi> ymmv
    <jkoenig> pochu, youpi, --compatible is also needed because mach's high
      reported sysconf(_SC_CLK_TCK) makes some integers overflow (IIRC)
    <youpi> agreed
    <jkoenig> luckily, tools which use procfs usually try to detect the value
      /proc uses rather than rely on CLK_TCK
    <jkoenig> (so we can choose whatever reasonable value we want)

IRC, freenode, #hurd, 2011-03-28

    <antrik> jkoenig: does procfs expose any information that is not available
      to everyone through the proc server?...
    <antrik> also, why is --compatible not the default; or rather, why is there
      even another mode? the whole point of procfs is compatibility...
    <jkoenig> antrik, yes, through the <pid>/environ and (as mentionned above)
      <pid>/stat files, but I've been careful to make these files readable only
      to the process owner
    <jkoenig> --compatible is not the default because it relaxes this paranoia
      wrt. the stat file, and does not conform to the specification with regard
      to clock tick counters
    <antrik> what specification?
    <jkoenig> the linux proc(5) manpage
    <jkoenig> which says clock tick counters are in units of
      1/sysconf(_SC_CLK_TCK)
    <antrik> so you are saying that there is some information that the Hurd
      proc server doesn't expose to unprivileged processes, but linux /proc
      does?
    <jkoenig> yes
    <antrik> that's odd. I wonder what the reasoning behind that could be
    <antrik> but this information is available through Hurd ps?
    <antrik> BTW, what exactly is _SC_CLK_TCK supposed to be?
    <pinotree> jkoenig: hm, just tried with two random processes on linux
      (2.6.32), and enrivon is 400
    <pinotree> (which makes sense, as you could have sensible informations eg
      in http_proxy or other envvars)
    <jkoenig> antrik, CLK_TCK is similar to HZ (maybe clock resolution instead
      of time slices ?)
    <jkoenig> sysconf(3) says "The number of clock ticks per second."
    <jkoenig> antrik, I don't remember precisely what information this was, but
      ps-hurd is setuid root.
    <jkoenig> anyway, if you run procfs --compatible as a user and try to read
      foo/1/stat, the result is an I/O error, which is the result of the proc
      server denying access.
    <antrik> but Linux /proc acutally uses HZ as the unit IIRC? or is
      _SC_CLK_TCK=HZ on Linux?...
    <jkoenig> I expect they're equal.
    <jkoenig> in practice procps uses heuristics to guess what value /proc uses
      (for compatibility purposes with older kernels)
    <jkoenig> I don't think HZ is POSIX, while _SC_CLK_TCK is specifies as the
      unit for (at least) the values returned by times()
    <jkoenig> s/specifies/specified/
    <jkoenig> antrik, some the information is fetched directly from mach by
      libps, and understandably, the proc server does not give the task port to
      anyone who asks.
    <antrik> well, as long as the information is exposed through ps, there is
      no point in hiding it in procfs...
    <antrik> and I'm aware of the crazy guessing in libproc... I was actually
      mentoring the previous procfs implementation
    <antrik> (though I never got around to look at his buggy code...)
    <jkoenig> ok

IRC, freenode, #hurd, 2011-07-22

    <pinotree> hm, why /proc/$pid/stat is 600 instead of 644 of linux?
    <jkoenig> pinotree, it reveals information which, while not that sensitive,
      would not be available to users through the normal proc interface.
    <jkoenig> (it's available through the ps command which is setuid root)
    <jkoenig> we discussed at some point making it 644, IIRC.
    <pinotree> hm, then why is it not a problem on eg linux?
    <jkoenig> (btw you can change it with the -s option.)
    <jkoenig> pinotree, it's not a problem because the information is not that
      sensitive, but when rewriting procfs I preferred to play it self and
      consider it's not procfs' job to decide what is sensitive or not.
    <jkoenig> IIRC it's not sensitive but you need the task port to query it.
    <jkoenig> like, thread times or something.
    <pinotree> status is 644 though
    <jkoenig> but status contains information which anyone can ask to the proc
      server anyway, I think.


# `/proc/mounts`, `/proc/$pid/mounts`

IRC, freenode, #hurd, 2011-07-25

    < pinotree> jkoenig: btw, what do you think about providing empty
      /proc/mounts and /proc/$pid/mounts files?
    < jkoenig> pinotree, I guess one would have to evaluate the consequences
      wrt. existing use cases (in other words, "I have absolutely no clue
      whatsoever about whether that would be desirable" :-)
    < jkoenig> pinotree, the thing is, an error message like "/proc/mounts: No
      such file or directory" is rather explicit, whereas errors which would be
      caused by missing data in /proc/mounts would maybe be harder to track
    < braunr> this seems reasonable though
    < braunr> there already are many servers with e.g. grsecurity or chrooted
      environments where mounts is empty
    < pinotree> well, currently we also have an empty mtab
    < braunr> pinotree: but what do you need that for ?
    < braunr> pinotree: the init system ?
    < pinotree> and the mnt C api already returns no entries (or it bails out,
      i don't remember)
    < pinotree> not a strict need


# `/proc/[PID]/auxv`, `/proc/[PID]/exe`, `/proc/[PID]/mem`

Needed by glibc's `pldd` tool (commit
11988f8f9656042c3dfd9002ac85dff33173b9bd).


# `/proc/self/exe`

[[!message-id "alpine.LFD.2.02.1110111111260.2016@akari"]]


# `/proc/[PID]/fd/`

## IRC, freenode, #hurd, 2012-04-24

    <antrik> braunr: /proc/*/fd can be implemented in several ways. none of
      them would require undue centralisation
    <antrik> braunr: the easiest would be adding one more type of magic lookup
      to the existing magic lookup mechanism
    <antrik> wait, I mean /proc/self... for /proc/*/fd it's even more
      straighforward -- we might even have a magic lookup for that already
    <pinotree> i guess the ideal thing would be implement that fd logic in
      libps
    <antrik> pinotree: nope. it doesn't need to ask proc (or any other server)
      at all. it's local information. that's what we have the magic lookups for
    <antrik> one option we were considering at some point would be using the
      object migration mechanism, so the actual handling would still happen
      client-side, but the server could supply the code doing it. this would
      allow servers to add arbitrary magic lookup methods without any global
      modifications... but has other downsides :-)
    <gnu_srs> youpi: How much info for /proc/*/fd is possible to get from
      libps? Re: d-h@
    <youpi> see my mail
    <youpi> I don't think there is an interface for that
    <youpi> processes handle fds themselves
    <youpi> so libps would have to peek in there
    <youpi> and I don't remember having seen any code like that
    <gnu_srs> 10:17:17< antrik> wait, I mean /proc/self... for /proc/*/fd it's
      even more straighforward -- we might even have a magic lookup for that
      already
    <gnu_srs> pinotree: For me that does not ring a bell on RPCs. Don't know
      what magic means,,
    <youpi> for /proc/self/fd we have a magic lookup
    <youpi> for /proc/pid/fd, I don't think we have
    <gnu_srs> magic lookup*
    <gnu_srs> magic lookup == RPC?
    <youpi> magic lookup is a kind of answer to the lookup RPC
    <youpi> that basically says "it's somewhere else, see there"
    <youpi> the magic FD lookup tells the process "it's your FD number x"
    <youpi> which works for /proc/self/fd, but not /proc/pid/fd
    <civodul> youpi, gnu_srs: regarding FDs, there the msg_get_fd RPC that
      could be used
    <civodul> `msgport' should have --get-fd, actually
    <youpi> civodul: I assumed that the reason why msgport doesn't have it is
      that it didn't exist
    <youpi> so we can get a port on the fd
    <youpi> but then how to know what it is?
    <civodul> youpi: ah, you mean for the /proc/X/fd symlinks?
    <civodul> good question
    <civodul> it's not designed to be mapped back to names, indeed :-)
    <antrik> youpi: yeah, I realized myself that only /proc/self/fd is trivial
    <antrik> BTW, in Linux it's nor real symlinks. it's magic, with some very
      strange (but useful in certain situations) semantics
    <antrik> not real symlinks
    <antrik> it's very weird for example for fd connected to files that have
      been unlinked. it looks like a broken symlink, but when dereferencing
      (e.g. with cp), you get the actual file contents...