From owner-freebsd-security  Wed Oct  4  8:47:48 2000
Delivered-To: freebsd-security@freebsd.org
Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82])
	by hub.freebsd.org (Postfix) with ESMTP id 2D07037B66C
	for <freebsd-security@freebsd.org>; Wed,  4 Oct 2000 08:47:43 -0700 (PDT)
Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net  with Microsoft SMTPSVC(5.5.1877.197.19);
	 Wed, 4 Oct 2000 08:46:17 -0700
Received: (from cjc@localhost)
	by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id e94FlTH79475
	for freebsd-security@freebsd.org; Wed, 4 Oct 2000 08:47:29 -0700 (PDT)
	(envelope-from cjc)
Date: Wed, 4 Oct 2000 08:47:29 -0700
From: "Crist J . Clark" <cjclark@reflexnet.net>
To: freebsd-security@freebsd.org
Subject: Fwd: eth-security : ANNOUNCE : Resources no for ALL
Message-ID: <20001004084729.C25121@149.211.6.64.reflexcom.com>
Reply-To: cjclark@alum.mit.edu
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0i
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

In the recent flame storms on -security, it may have slipped by when I
was deleting threads and certain authors (who will remain nameless)
without looking at the contents, but I have not seen any mention of
this.

This was posted to BugTraq yesterday. It is a series of patches to
restrict certain information from non-priv'ed users. If they actually
work well (I have not tried them), is there a reason they could not be
added and enabled with a make.conf setting or kernel option or both?
The patches came with no licensing information, so I don't know what
the author is up to. Heck, he may have already provided them to some
committers for a look, I dunno.

Like I said, I did not see anything about this on here and thought
this list would be interested. (BTW, at least when I tried yesterday,
the ftp site given did not have the code, but the http URL worked.)

-------- Original Message --------
Subject: eth-security : ANNOUNCE : Resources no for ALL
Date: Mon, 2 Oct 2000 14:48:57 +0200
From: yeti <y3t1@ETH-SECURITY.NET>
Reply-To: yeti <y3t1@ETH-SECURITY.NET>
To: BUGTRAQ@SECURITYFOCUS.COM

		--==	Resources Not for All  ==--
                           version 1.0

				by y3t1@eth-security.net


-- ===== --
 Overview
-- ===== --

RnA is collection of security improvements for
       - FreeBSD 4.0-RELASE


 Restricted kernel process table and proc filesystem
*---------------------------------------------------*

This patch gives limited access for non-root to process table ,only root
see all process and have access to their entries in proc filesystem.
Permission to directories in proc filesystem is changed
to 550 (dr-xr-x---)  .Non-root users can only see own proceses.

some example :

from root console :

pc1:~# ps ax
  PID  TT  STAT      TIME COMMAND
    0  ??  DLs    0:00.01  (swapper)
    1  ??  ILs    0:00.17 /sbin/init --
    2  ??  DL     0:03.64  (pagedaemon)
    3  ??  DL     0:00.00  (vmdaemon)
    4  ??  DL     0:00.01  (bufdaemon)
    5  ??  DL     0:00.54  (syncer)
   25  ??  Is     0:00.00 adjkerntz -i
[...]

from user :

pc1:~$ ps ax
  PID  TT  STAT      TIME COMMAND
  154  v3  Ss     0:00.17 -bash (bash)
  406  v3  R+     0:00.00 ps ax

 Restricted who/w/last
*---------------------------------------------------*

Restricted who/w/last gives limited access to utmp/wtmp entries.
Users can see only own login to system (no group like w_all,w_grp) ,
but if user is added to group w_grp can see own and group login .
Group w_all is for trusted users that have full read access to utmp/wtmp .

for example :

from root console :

pc1:~# who
root             ttyv0   Sep 27 21:32
root             ttyv1   Sep 27 20:20
y3t1             ttyp1   Sep 27 22:06 (100.0.0.2)
blah	         ttyp2   Sep 27 20:30 (195.17.21.113)
lump             ttyp5   Sep 20 13.56 (63.30.55.243)

from non-root console

pc1:~$ who
y3t1             ttyp1   Sep 27 22:06 (100.0.0.2)


from non-root console if user is added to group w_all

pc1:~$ who
root             ttyv0   Sep 27 21:32
root             ttyv1   Sep 27 20:20
y3t1             ttyp1   Sep 27 22:06 (100.0.0.2)
blah	         ttyp2   Sep 27 20:30 (195.17.21.113)
plum             ttyp5   Sep 20 13.56 (63.30.55.243)

from non-root console if user is added to group w_grp

pc1:~$ who
y3t1             ttyp1   Sep 27 22:06 (100.0.0.2)
blah	         ttyp2   Sep 27 20:30 (195.17.21.113)
plum             ttyp5   Sep 20 13.56 (63.30.55.243)

Commands w/last are restricted with similar way .

 How to Install
*---------------------------------------------------*

De-tar rna archive

tar xvzf rna.tar.gz

and run

cd RnA/
./RnA

cd /sys/compile/your_kernel_name/
make config
make
make install

cd /usr/src/usr.bin/who
make
make install

cd /usr/src/usr.bin/w
make
make install

cd /usr/src/usr.bin/last
make
make install

Check permission to who/w/last (need sgid uwtmp group) and reboot your system .


  How to get
*---------------------------------------------------*

New version of rna you can get from :

ftp://ftp.eth-security.net/pub/rna.tar.gz
http://www.eth-security.net/files/rna.tar.gz
http://rast.lodz.pdi.net/~y3t1/rna.tar.gz

 Greets
*---------------------------------------------------*

vx@mtl.pl                         - inspirate me to write this patches
z33d@eth-security.net             - b00m b00m b00m ... dawac pieniadze
Admins from
Institute of Physics(Wroclaw)     - for testing patches and good diners
				
all on :

       #sigsegv@ircnet :  z33d,funkySh,Kris,detergent,crashkill,cliph,xfer

and other cool guys

       rastlin,tmoggie,Shadow,Trolinka,lcamtuf,kodzak,venglin,spaceman

----- End forwarded message -----
-- 
Crist J. Clark                           cjclark@alum.mit.edu


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message