From owner-freebsd-questions Fri Feb 2 10: 1: 6 2001 Delivered-To: freebsd-questions@freebsd.org Received: from guru.mired.org (okc-65-26-235-186.mmcable.com [65.26.235.186]) by hub.freebsd.org (Postfix) with SMTP id 67E3F37B401 for ; Fri, 2 Feb 2001 10:00:47 -0800 (PST) Received: (qmail 28099 invoked by uid 100); 2 Feb 2001 18:00:47 -0000 From: Mike Meyer MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14970.62926.923267.85660@guru.mired.org> Date: Fri, 2 Feb 2001 12:00:46 -0600 (CST) To: Odhiambo Washington Cc: Mike Meyer , FBSD-Q Subject: Re: kern.securelevel changes? In-Reply-To: <20010202202436.B82567@poeza.iconnect.co.ke> References: <92820033@toto.iv> <14970.59812.328312.718346@guru.mired.org> <20010202202436.B82567@poeza.iconnect.co.ke> X-Mailer: VM 6.75 under 21.1 (patch 10) "Capitol Reef" XEmacs Lucid X-face: "5Mnwy%?j>IIV\)A=):rjWL~NB2aH[}Yq8Z=u~vJ`"(,&SiLvbbz2W`;h9L,Yg`+vb1>RG% *h+%X^n0EZd>TM8_IB;a8F?(Fb"lw'IgCoyM.[Lg#r\ Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Odhiambo Washington types: > * Mike Meyer [20010202 20:10]: writing on the subject 'Re: kern.securelevel changes?' > Mike> Omer Faruk Sen types: > Mike> > hi. > Mike> > Is there a document that explains all changes when I > Mike> > switch my kern.securelevel from -1 to 0 or at the same > Mike> > time switch it from 0 to +1? > Mike> > Mike> The init man page. > Mike> > Mike> > I want to make my users just to see their own process > Mike> > not other?How can I obtain that?I was thinking that it > Mike> > was about kern.securelevel but I did -1 --> 0 and > Mike> > nothing has changed users still can see other > Mike> > processes > Mike> > Mike> Well, someone claimed there was a sysctl to do that, but I don't see > Mike> how, as ps reads kernel virtual memory, and once you can do that, you > Mike> can read the info for any process, not just your own. > > Mike, then in that case how does an ordinary user circumvent this one: > > kern.ps_showallprocs=0 I was wrong about the way ps behaved - I read the wrong branch of the if :-(. It actually uses sysctls to get that information, not the nlist code I was looking at. While you could tweak the code to make it use the nlist code (which is still there), you'd have to run setgid kmem or setuid root. If people can do that on your system, you have more important things to worry about than just setting the sysctl. http://www.mired.org/home/mwm/ Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message