From owner-freebsd-questions@FreeBSD.ORG Thu Jan 6 12:07:48 2005 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1D0CA16A4CE for ; Thu, 6 Jan 2005 12:07:48 +0000 (GMT) Received: from mato.luukku.com (mato.luukku.com [193.209.83.251]) by mx1.FreeBSD.org (Postfix) with ESMTP id 973D443D2D for ; Thu, 6 Jan 2005 12:07:47 +0000 (GMT) (envelope-from reko.turja@liukuma.net) Received: from localhost (mta3-o.i.luukku.com [10.0.1.132]) by mta3-o.i.luukku.com (Postfix) with ESMTP id 588FB100A78; Thu, 6 Jan 2005 14:07:46 +0200 (EET) Received: from rekon (92a7.dsl.mtv3.fi [82.203.167.146]) by mato.luukku.com (Postfix) with SMTP id 27D8E22EE8C; Thu, 6 Jan 2005 14:07:46 +0200 (EET) Message-ID: <015301c4f3e8$58464920$92a7cb52@rekon> From: "Reko Turja" To: References: <1761142680.20050104050725@wanadoo.fr> <040201c4f372$06d09210$92a7cb52@rekon> <1507832106.20050106024812@wanadoo.fr> Date: Thu, 6 Jan 2005 14:07:50 +0200 MIME-Version: 1.0 Content-Type: text/plain; format=flowed; charset="iso-8859-1"; reply-type=original Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.2527 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527 Subject: Re: Running top on system console without being logged on X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Jan 2005 12:07:48 -0000 ----- Original Message ----- From: "Anthony Atkielski" To: Sent: Thursday, January 06, 2005 3:48 AM Subject: Re: Running top on system console without being logged on >> How about creating a user like this with vipw: >> topper::userno:groupno::0:0:Topper Harley:/nonexistent:/usr/bin/top >> and then just logging in on spare console screen as topper? >> >> I'm not sure if there are security implications though, even if the >> user >> is not member of the wheel group etc. > > I've considered this, but like you, I'm not sure of the security > implications, so I haven't actually done it. And is it possible to > include command-line options in the login shell command for a user? Actually not command line options as such, but you can make a login class for the top user in /etc/login.conf and feed the options via TOP environment variable from there. You cant shell out from top and renicing from non root account is impossible (except dropping the niceness of your own process). I think the approach is secure enough and if you give "topper" good enough password or deny logon from anywhere except from console, everything should be ok. Of course if the terminal is accessible to others than administrative staff, giving out the usernames can be a risk, but you can use the usernumbers option to avoid giving out the usernames. Did myself something very similar with a IPless firewall between a while back but I ran vmstat in the console instead. Good one glance monitoring without the need of logging on the machine itself. -Reko