From owner-freebsd-questions@FreeBSD.ORG  Wed Apr  2 15:41:42 2014
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 1640B54C
 for <freebsd-questions@freebsd.org>; Wed,  2 Apr 2014 15:41:42 +0000 (UTC)
Received: from smtp2.hushmail.com (smtp2.hushmail.com [65.39.178.134])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "smtp.hushmail.com", Issuer "GeoTrust DV SSL CA" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id ED54D86
 for <freebsd-questions@freebsd.org>; Wed,  2 Apr 2014 15:41:41 +0000 (UTC)
Received: from smtp2.hushmail.com (localhost [127.0.0.1])
 by smtp2.hushmail.com (Postfix) with SMTP id 0149DA0106
 for <freebsd-questions@freebsd.org>; Wed,  2 Apr 2014 15:41:41 +0000 (UTC)
Received: from smtp.hushmail.com (w8.hushmail.com [65.39.178.52])
 by smtp2.hushmail.com (Postfix) with ESMTP;
 Wed,  2 Apr 2014 15:41:40 +0000 (UTC)
Received: by smtp.hushmail.com (Postfix, from userid 99)
 id 4EC5C608CA; Wed,  2 Apr 2014 15:41:40 +0000 (UTC)
MIME-Version: 1.0
Date: Wed, 02 Apr 2014 11:41:40 -0400
To: "Dan Nelson" <dnelson@allantgroup.com>, "Daniel Corbe" <corbe@corbe.net>
Subject: Re: Disable w / who
From: "Kenta S." <kentas@hush.com>
In-Reply-To: <20140402152956.GA23453@dan.emsphone.com>
References: <20140402034019.A9BE1608AE@smtp.hushmail.com>
 <ygfsipws5so.fsf@corbe.net> <20140402152956.GA23453@dan.emsphone.com>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="UTF-8"
Message-Id: <20140402154140.4EC5C608CA@smtp.hushmail.com>
Cc: freebsd-questions@freebsd.org
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Apr 2014 15:41:42 -0000

On 04/02/2014 at 11:30 AM, "Dan Nelson" <dnelson@allantgroup.com> wrote:
>
>Also remember to remove /var/run/utx.active, /var/log/utx.*,
>the netstat, sockstat, and lsof commands, 

"sysctl security.bsd.see_other_uids=0" solves this, doesn't it?
FreeBSD doesn't include lsof.

>plus gcc, clang, and any ability to upload executables :) 

This is easily done with mount options in /etc/fstab.

>Unixes weren't really designed for information-hiding at the
>level you're looking for.

It doesn't have to be perfect and stop everyone, just preventing
regular users from seeing "w" and "who was my goal.

>An alternative might be to do some sort of inbound NAT outside
>the box itself, so that all incoming TCP sessions get NAT'ted to
>an internal IP before hitting your server.

I'll look into doing this with pf, thanks.