Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

FreeBSD 4.x: Safe to unmount the proc filesystem??

Posted on 2001-09-03
7
Medium Priority
?
476 Views
Last Modified: 2010-04-21
guys,
 
This question relates to patching a security hole in FREEBSD 4.1 as advised in the advisory below.

My question is:  
Is it safe to unmount the proc filesystem on a production server ?
Can this be used as a permanent workaround ?
Please advice...
 
Tq!
 
>>>>>>>>
 
FreeBSD-SA-01:55
procfs vulnerability leaks set[ug]id process memory

IV. Workaround

To work around the problem, perform the following steps as root:

Unmount all instances of the procfs and linprocfs filesystems using
the unmount(8) command:

# umount -f -a -t procfs
# umount -f -a -t linprocfs

Disable the automatic mounting of all instances of procfs in /etc/fstab:
remove or comment out the line(s) of the following form:

proc /proc procfs rw 0 0
proc /compat/linux/proc linprocfs rw 0 0
0
Comment
Question by:thiamwah
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 40

Expert Comment

by:jlevie
ID: 6452924
As long as you aren't using Linux compatibility mode, then yes it probably should be safe. But you may loose access to some tools that use procfs and information represented there. I don't know that I'd consider that to be a permanent solution. A better long term solution would be to upgrade to a later version (say 4.3 STABLE).
0
 

Author Comment

by:thiamwah
ID: 6455734
hi jlevie,

I see many directories created by nobody (apache user)
and other users on a daily basis. Please advice.

--- ls -al sampling of /proc ---

dr-xr-xr-x  15 nobody  nogroup   512 Sep  5 13:44 42958
dr-xr-xr-x  15 nobody  nogroup   512 Sep  5 13:44 42959
dr-xr-xr-x  15 nobody  nogroup   512 Sep  5 13:44 42960
dr-xr-xr-x  15 nobody  nogroup   512 Sep  5 13:44 42961
dr-xr-xr-x  15 nobody  nogroup   512 Sep  5 13:44 42962
dr-xr-xr-x  15 nobody  nogroup   512 Sep  5 13:44 42963
dr-xr-xr-x  15 nobody  nogroup   512 Sep  5 13:44 42964
dr-xr-xr-x  15 nobody  nogroup   512 Sep  5 13:44 42965
dr-xr-xr-x  15 nobody  nogroup   512 Sep  5 13:44 42966
dr-xr-xr-x  15 root    wheel     512 Sep  5 13:44 43632
dr-xr-xr-x  15 root    wheel     512 Sep  5 13:44 455
dr-xr-xr-x  15 root    wheel     512 Sep  5 13:44 5
dr-xr-xr-x  15 root    wheel     512 Sep  5 13:44 64075
dr-xr-xr-x  15 root    wheel     512 Sep  5 13:44 64077
dr-xr-xr-x  15 root    wheel     512 Sep  5 13:44 66237
dr-xr-xr-x  15 root    wheel     512 Sep  5 13:44 66370
....


0
 

Author Comment

by:thiamwah
ID: 6455788
hi jlevie,

I need your expertise in FreeBSD.. :)
can you also look at my other related question at
http://www.experts-exchange.com/jsp/qManageQuestion.jsp?ta=unix&qid=20178625

Thxs!
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 40

Expert Comment

by:jlevie
ID: 6456917
Those represent process information for active processes on the system. It's normal to see them being created and removed as processes start and exit. And that's the problem with unmounting procfs. And tool that needs to access the process information won't work if it can't get to procfs.

The best solution is, as stated above, to upgrade the system to a version that doesn't have the vulnerability. I'd have to check to be certain, but I think that this vulnerability may have been closed by one of the updates to 4.1. If that's the case then you could cvsup your sources for 4.1 to STABLE and re-build the system with 'make world'
0
 
LVL 40

Expert Comment

by:jlevie
ID: 6456947
Nope, never mind about the 4.1 STABLE branch. I don't see any evidence that the fix has been applied there.
0
 

Author Comment

by:thiamwah
ID: 6462985
hi jlevie,

I am a bit paranoid about having to CVSUp the whole source and recompiling them because I tried on a Pentium Celeron with 64 MB ram, and it tooks hours to even download the whole source. And I read comments that it will take another 3.5 hours to recompile the sources. YIKES! :)

Compiling kernels is OK to me but compiling the whole source tree.. !

My production machines are all DELL Dual Pentium 3 CPUs with 512 MB RAM. I wonder how would they fare ? How do I minimize the chances that anything would go wrong inn your experience of cvsuping sources on a prod machine?

Are they any links in your recommendation that I can refer to for this topic? Pls advice!

Thanks a million
0
 
LVL 40

Accepted Solution

by:
jlevie earned 400 total points
ID: 6469214
Cvsup'ing the source tree can take quite a while, depending on how fast your Internet link is and how busy the cvs site that you use is. When I'm going to cvsup a system I check connectivity to each of the sites and try the one with the lowest ping RTT. Usually that will be the site that I'll get the best response from. Assming all of your boxes are all "reachable" from each other, you can use one box to to do the cvsup and the compiles. The result can then be installed on the other boxes. The way I do that is to NFS export /usr/src, /usr/obj, & /usr/ports and mount those volumes on the other boxes.

Yeah doing a 'make buildworld' on a 64Mb system will be on the slow side. Doing so on one of you dual processor boxes should be pretty quick as they have a decent about of ram. The advantage of building everything is, of course, that you get all of the updates for all the important stuff. It doesn't update a lot of the userland utilities (X, KDE/Gnome, etc.) that come from the eports collection. But after updating the OS and the ports collection you can pretty easily update anything from the ports collection.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In tuning file systems on the Solaris Operating System, changing some parameters of a file system usually destroys the data on it. For instance, changing the cache segment block size in the volume of a T3 requires that you delete the existing volu…
A metadevice consists of one or more devices (slices). It can be expanded by adding slices. Then, it can be grown to fill a larger space while the file system is in use. However, not all UNIX file systems (UFS) can be expanded this way. The conca…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question