From owner-freebsd-security Tue Apr 2 11:48:38 2002 Delivered-To: freebsd-security@freebsd.org Received: from m5.andara.com (m5-real.eastlink.ca [24.222.0.25]) by hub.freebsd.org (Postfix) with ESMTP id 399C637B41E for ; Tue, 2 Apr 2002 11:48:31 -0800 (PST) Received: from xeno (u206n232.hfx.eastlink.ca [24.222.206.232]) by m5.andara.com (8.12.1/8.12.1) with SMTP id g32Jmcju007735; Tue, 2 Apr 2002 15:48:38 -0400 (AST) Message-ID: <002301c1da7f$629f66c0$6401a8c0@router.unknown.ca> From: "N. J. Cash" To: "Jason Stone" , "Jesper Wallin" Cc: References: <20020401210722.S94832-100000@walter> Subject: Re: Stop usage of "who"? Date: Tue, 2 Apr 2002 15:48:38 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org As far as trying to chmod permissions on files I would recomend that you check out and use *jail* instead. Jail can be a little tricky to get going but it's a nice way to limit users to basically no or customized shell access commands. It can also prevent a cd .. to /home *so no looking around!* In FreeBSD *man jail* is a little funky to understand, i'd try a google search about it for some more detailed info.. It'll work perfectly if you have the time and patience to do it : ) Here's some info on quotas if you never seen it yet.. http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/quotas.html ----- Original Message ----- From: Jason Stone To: Jesper Wallin Cc: security@FreeBSD.ORG Sent: Tuesday, April 02, 2002 4:05 AM Subject: Re: Stop usage of "who"? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Now I want to stop usage of commands like w, who and users.. I guess > it must be able to change somewhere in the proc dir instead of > changing the permissons on all the executables.. Most daemons/programs that log you in write a record into utmp/wtmp when they do so, and who(1) _et al_ just read utmp and print out whatever is in it. So to make this machanism fail, it is sufficient to either stop the writing to utmp/etc, or to stop the reading of utmp/etc. The files in question are (from /usr/include/utmp.h): #define _PATH_UTMP "/var/run/utmp" #define _PATH_WTMP "/var/log/wtmp" #define _PATH_LASTLOG "/var/log/lastlog" Making all these files mode 600 would allow who(1) to be run normally by root but fail for normal users. Also remember to change newsyslog.conf so that the restrictive permissions will get preservers when the files get rotated. Note that users will still be able to see some information about other users. netstat(1), for example, will show users all open network connections, vmstat(8) will allow users to see if someone is working at the physical console, etc. > Another thing I want to do (if it's possible) is to add a default > quota.. like, all new users who's being added will have about 500Mb of > disk space.. quotas are discussed in detail in section 12.5 of the handbook - check that out and then mail freebsd-questions if you have specific questions. If you're wondering strictly about setting the default when you create users, well then it depends on how you're creating the users, and there are many approaches you can take depending on your needs. wrapping pw(8) with a shell or perl script and running another script from cron to check that all users have a quota is the approach I'd take. -Jason ----------------------------------------------------------------------- I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -- Mike Godwin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE8qWYzswXMWWtptckRAtsaAKC4K3omxAaymOrfSakae1dbL0XDwACgtACu ig/YFCB7SkvzPjoP7x4ziHg= =cgJ2 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message