From owner-freebsd-isp Mon Aug 21 12:54:22 2000 Delivered-To: freebsd-isp@freebsd.org Received: from saturn.mikesweb.com (saturn.mikesweb.com [216.91.66.1]) by hub.freebsd.org (Postfix) with SMTP id EDD5837B423 for ; Mon, 21 Aug 2000 12:54:17 -0700 (PDT) Received: (qmail 82078 invoked from network); 21 Aug 2000 19:54:16 -0000 Received: from delta.mikesweb.com (HELO SUN.mikesweb.com) (@216.91.66.252) by saturn.mikesweb.com with SMTP; 21 Aug 2000 19:54:16 -0000 Message-Id: <4.3.2.7.2.20000821155501.06384920@127.0.0.1> X-Sender: sturdee/mail.mikesweb.com@127.0.0.1 X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Mon, 21 Aug 2000 15:59:11 -0400 To: FengYue From: Mike Subject: Re: ps question Cc: freebsd-isp@freebsd.org In-Reply-To: References: <4.3.2.7.2.20000821014336.00b81aa0@127.0.0.1> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I just put together a hosting server for an isp, and they want to try as much as possible "private" from user to user.. I looked into using jail, but don't think they'd need that much right now.. I've gone over the security info on the freebsd web site, now I was just working on making it so users wouldn't be "watching" everything that goes on. At 12:53 PM 8/21/2000 -0700, you wrote: >What's the use of all those hacks in ps code? People can simply either >access /proc or directly call kvm_* () functions to get a full list of >processes running on the machine, or even simply ftp a ps binary >from another freebsd machine. > >On Mon, 21 Aug 2000, Mike wrote: > > > tried that, (and changed the line to if (getuid() > 999 || getgid() > 999) > > so anything that's not a regular user can use it. no luck, can still ps -a > > as a regular user and see everything running.. > > > > At 10:11 PM 8/20/2000 -0400, you wrote: > > >++ 20/08/00 20:51 -0400 - Mike: > > > >Quick question, how do I make 'ps' work so no matter how users run > it, it > > > >only shows them their processes, and only root can see what -a would > > > display? > > > >thanks > > > > > >It shouldn't be too hard or re-write ps so that at the top while/after > > >processing the command line args the user-id is checked, getuid(2)?. If > > >it is is ZERO then nothing special. If it is not ZERO then limit. > > > > > >Here is a very simple hack: > > >--- ps.c Thu Jul 13 14:16:49 2000 > > >+++ ps-limited.c Sun Aug 20 22:09:53 2000 > > >@@ -121,6 +121,7 @@ > > > dev_t ttydev; > > > pid_t pid; > > > uid_t uid; > > >+ int isroot; > > > int all, ch, flag, i, fmt, lineno, nentries, dropgid; > > > int prtheader, wflag, what, xflg; > > > char *nlistf, *memf, *swapf, errbuf[_POSIX2_LINE_MAX]; > > >@@ -138,6 +139,10 @@ > > > if (argc > 1) > > > argv[1] = kludge_oldps_options(argv[1]); > > > > > >+ if (getuid() == 0 || getgid() == 0) > > >+ isroot = 1; > > >+ else > > >+ isroot = 0; > > > all = fmt = prtheader = wflag = xflg = 0; > > > pid = -1; > > > uid = (uid_t) -1; > > >@@ -152,7 +157,8 @@ > > > #endif > > > switch((char)ch) { > > > case 'a': > > >- all = 1; > > >+ if (isroot) > > >+ all = 1; > > > break; > > > case 'C': > > > rawcpu = 1; > > > > > >Jim > > >-- > > >"Eagles may soar, but weasels don't get sucked into jet engines" > > > -- Anon > > > > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > > >with "unsubscribe freebsd-isp" in the body of the message > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-isp" in the body of the message > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-isp" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message