SECURITY PROBLEM OR NOT

From: Michel De Rouck (michel.de-rouck@steria.be)
Date: 11/27/02


Date: Wed, 27 Nov 2002 09:23:32 +0100
From: Michel De Rouck <michel.de-rouck@steria.be>


*** post for FREE via your newsreader at post.newsfeed.com ***

I know this is the way it works on some UNIX flavours ( I don't know if
ALL off them have the same problem)
I could find solutions to work arround this problem ....
But my question remains , is there someone who could confirm that this
is not a security breach against C2
security certification ?
If not , could someone explain why it is not against C2 security ??

>The following issue seems for me to be a security breach , however
>having it reported to IBM
>they state that it is not .
>For them this behaviour is even C2 compliant ?
>Could someone of you comment on this ?

>In AIX 4.3.3 (I suspect other UNIX flavours also have the same
>behaviour .... IBM states this is
>already so since 20 years !) some normal "non-root" user can see the

>complete
>proces environment variables and parameters of whatever proces with the

>command "ps geww" !

>That root can see all proces environment variables and parameters of
>whatever proces ,
>can be agreed.
>That a non-root user can see all proces environment variables and
>parameters of his own processes
>can be agreed.
>But that whatever non-root user can see all proces environment
>variables and parameters of all system
>processes seems to be a security breach for me ?
>Sensitive data could be in the environment variables !

 -----= Posted via Newsfeed.Com, Uncensored Usenet News =-----
http://www.newsfeed.com - The #1 Newsgroup Service in the World!
-----== 100,000 Groups! - 19 Servers! - Unlimited Download! =-----