From owner-freebsd-hackers@FreeBSD.ORG Tue Mar 29 19:20:02 2005 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BE0DF16A4CE for ; Tue, 29 Mar 2005 19:20:02 +0000 (GMT) Received: from mail.revolutionsp.com (ganymede.revolutionsp.com [64.246.0.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2AEDF43D39 for ; Tue, 29 Mar 2005 19:20:02 +0000 (GMT) (envelope-from security@revolutionsp.com) Received: from mail.revolutionsp.com (localhost [127.0.0.1]) by mail.revolutionsp.com (Postfix) with ESMTP id 87C4F15CA6 for ; Tue, 29 Mar 2005 13:19:06 -0600 (CST) Received: from 81.84.174.37 (SquirrelMail authenticated user security@revolutionsp.com) by mail.revolutionsp.com with HTTP; Tue, 29 Mar 2005 13:19:06 -0600 (CST) Message-ID: <61910.81.84.174.37.1112123946.squirrel@mail.revolutionsp.com> Date: Tue, 29 Mar 2005 13:19:06 -0600 (CST) From: "H. S." To: freebsd-hackers@freebsd.org User-Agent: SquirrelMail/1.4.4 MIME-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Priority: 3 (Normal) Importance: Normal Subject: A few thoughts.. X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Mar 2005 19:20:03 -0000 Hey all, I've been using FreeBSD for a long time, it's my favorite OS and I use it on all my servers and most workstations. However, due to the nature of some of the servers, I've always wondered about something, tho. It is related to something deep in the OS. Let me try to explain. For example, assume a shell server. There are permission restrictions everywhere, to avoid users from seeing information that should be available only to the administrator (ie: dmesg,systat, vmstat, and so on). One could assume users won't be able to access the information provided by these utilities. Please consider the following example: [UNAME@WORKSTATION:/home/UNAME/] sftp USERNAME@192.168.0.254 Connecting to 192.168.0.254... -- lan gateway -- USERNAME@192.168.0.254's password: sftp> put /sbin/dmesg dmesg 100% 5392 122.4KB/s 00:00 sftp> quit [UNAME@WORKSTATION:/home/UNAME/] ssh USERNAME@192.168.0.254 -- lan gateway -- USERNAME@192.168.0.254's password: Last login: Tue Mar 29 19:36:42 2005 from WORKSTATION Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD ?.?.? (UNKNOWN) Welcome to FreeBSD! Before seeking technical support, please use the following resources: o Security advisories and updated errata information for all releases are at http://www.FreeBSD.org/releases/ - always consult the ERRATA section for your release first as it's updated frequently. o The Handbook and FAQ documents are at http://www.FreeBSD.org/ and, along with the mailing lists, can be searched by going to http://www.FreeBSD.org/search/. If the doc distribution has been installed, they're also available formatted in /usr/share/doc. If you still have a question or problem, please take the output of `uname -a', along with any relevant error messages, and email it as a question to the questions@FreeBSD.org mailing list. If you are unfamiliar with FreeBSD's directory layout, please refer to the hier(7) manual page. If you are not familiar with manual pages, type `man man'. You may also use sysinstall(8) to re-enter the installation and configuration utility. Edit /etc/motd to change this login announcement. "man tuning" gives some tips how to tune performance of your FreeBSD system. -- David Scheidt [USERNAME@SERVER:/home/USERNAME]$ ./dmesg Copyright (c) 1992-2004 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD 5.3-STABLE #1: Wed Dec 15 20:18:13 WET 2004 ???@???:/usr/obj/usr/src/sys/??? Timecounter "i8254" frequency 1193182 Hz quality 0 CPU: Pentium/P55C (199.31-MHz 586-class CPU) Origin = "GenuineIntel" Id = 0x544 Stepping = 4 Features=0x8001bf real memory = 83886080 (80 MB) avail memory = 72318976 (68 MB) (changed hostnames/logins - 192.168.0.254 is a host on my lan) My "USERNAME" account doesn't have access to /sbin/dmesg, but I uploaded a /sbin/dmesg from a 5.2.1-RELEASE to a 5.3-STABLE box, and then I could have access to this system information. The same goes for systat , vmstat, and all these commands that (most people think) shouldn't be available for regular users. Shouldn't this information be protected at kernel level? Am I missing something I can do about this ? Because this method works with everything that ressembles permissions in order to hide system information that can be obtained without root privileges. Another thought, one can use the "logger" utility to write to some logfile that is accessible via syslogd. example: [UNAME@WORKSTATION:/home/UNAME/] logger -t su: evilone to root on/dev/ttyp0 # tail /var/log/messages Mar 29 20:14:11 WORKSTATION su:: evilone to root on/dev/ttyp0 If you can't trust your logs.. This also poses another problem, with a little patience, one can fill up /var. Lastly, anyone knows if FreeBSD is getting systrace support ? I think of it as a major drawback in the security field, one can do very interesting things with systrace. Added with other freebsd features (jails, etc), it makes a very good security tool. Any comments appreciated! Regards.