Re: darkhttpd: timing attack and local leak of HTTP basic auth credentials
Open Source Security
Posted by Hanno Böck on Jan 23
I’d like to comment on that.
While „on Linux“ *in most distros default settings* this is true, the
Linux Kernel actually has a mitigation for this since quite a while.
This is a feature that I believe was initially introduced by
grsecurity, but was lated ported as an option to the mainline kernel.
/proc can be mounted with the hidepid option (ideally set to hidepid=2)
, with it enabled users cannot see processes of other users….