Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 2 Apr 2002 15:48:38 -0400
From:      "N. J. Cash" <ncash@pei.eastlink.ca>
To:        "Jason Stone" <jason@shalott.net>, "Jesper Wallin" <z3l3zt@phucking.kicks-ass.org>
Cc:        <security@FreeBSD.ORG>
Subject:   Re: Stop usage of "who"?
Message-ID:  <002301c1da7f$629f66c0$6401a8c0@router.unknown.ca>
References:  <20020401210722.S94832-100000@walter>

next in thread | previous in thread | raw e-mail | index | archive | help
As far as trying to chmod permissions on files I would recomend that you
check out and use *jail* instead.
Jail can be a little tricky to get going but it's a nice way to limit users
to basically no or customized shell access commands.
It can also prevent a cd .. to /home *so no looking around!*

In FreeBSD *man jail* is a little funky to understand, i'd try a google
search about it for some more detailed info..

It'll work perfectly if you have the time and patience to do it : )

Here's some info on quotas if you never seen it yet..

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/quotas.html


----- Original Message -----
From: Jason Stone
To: Jesper Wallin
Cc: security@FreeBSD.ORG
Sent: Tuesday, April 02, 2002 4:05 AM
Subject: Re: Stop usage of "who"?


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


> Now I want to stop usage of commands like w, who and users.. I guess
> it must be able to change somewhere in the proc dir instead of
> changing the permissons on all the executables..

Most daemons/programs that log you in write a record into utmp/wtmp when
they do so, and who(1) _et al_ just read utmp and print out whatever is in
it.

So to make this machanism fail, it is sufficient to either stop the
writing to utmp/etc, or to stop the reading of utmp/etc.

The files in question are (from /usr/include/utmp.h):
#define _PATH_UTMP      "/var/run/utmp"
#define _PATH_WTMP      "/var/log/wtmp"
#define _PATH_LASTLOG   "/var/log/lastlog"

Making all these files mode 600 would allow who(1) to be run normally by
root but fail for normal users.  Also remember to change newsyslog.conf so
that the restrictive permissions will get preservers when the files get
rotated.


Note that users will still be able to see some information about other
users.  netstat(1), for example, will show users all open network
connections, vmstat(8) will allow users to see if someone is working at
the physical console, etc.


> Another thing I want to do (if it's possible) is to add a default
> quota.. like, all new users who's being added will have about 500Mb of
> disk space..

quotas are discussed in detail in section 12.5 of the handbook - check
that out and then mail freebsd-questions if you have specific questions.
If you're wondering strictly about setting the default when you create
users, well then it depends on how you're creating the users, and there
are many approaches you can take depending on your needs.  wrapping pw(8)
with a shell or perl script and running another script from cron to check
that all users have a quota is the approach I'd take.


 -Jason

 -----------------------------------------------------------------------
 I worry about my child and the Internet all the time, even though she's
 too young to have logged on yet.  Here's what I worry about.  I worry
 that 10 or 15 years from now, she will come to me and say "Daddy, where
 were you when they took freedom of the press away from the Internet?"
-- Mike Godwin

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: See https://private.idealab.com/public/jason/jason.gpg

iD8DBQE8qWYzswXMWWtptckRAtsaAKC4K3omxAaymOrfSakae1dbL0XDwACgtACu
ig/YFCB7SkvzPjoP7x4ziHg=
=cgJ2
-----END PGP SIGNATURE-----


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?002301c1da7f$629f66c0$6401a8c0>