Date: Wed, 4 Oct 2000 08:47:29 -0700 From: "Crist J . Clark" <cjclark@reflexnet.net> To: freebsd-security@freebsd.org Subject: Fwd: eth-security : ANNOUNCE : Resources no for ALL Message-ID: <20001004084729.C25121@149.211.6.64.reflexcom.com>
next in thread | raw e-mail | index | archive | help
In the recent flame storms on -security, it may have slipped by when I
was deleting threads and certain authors (who will remain nameless)
without looking at the contents, but I have not seen any mention of
this.
This was posted to BugTraq yesterday. It is a series of patches to
restrict certain information from non-priv'ed users. If they actually
work well (I have not tried them), is there a reason they could not be
added and enabled with a make.conf setting or kernel option or both?
The patches came with no licensing information, so I don't know what
the author is up to. Heck, he may have already provided them to some
committers for a look, I dunno.
Like I said, I did not see anything about this on here and thought
this list would be interested. (BTW, at least when I tried yesterday,
the ftp site given did not have the code, but the http URL worked.)
-------- Original Message --------
Subject: eth-security : ANNOUNCE : Resources no for ALL
Date: Mon, 2 Oct 2000 14:48:57 +0200
From: yeti <y3t1@ETH-SECURITY.NET>
Reply-To: yeti <y3t1@ETH-SECURITY.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
--== Resources Not for All ==--
version 1.0
by y3t1@eth-security.net
-- ===== --
Overview
-- ===== --
RnA is collection of security improvements for
- FreeBSD 4.0-RELASE
Restricted kernel process table and proc filesystem
*---------------------------------------------------*
This patch gives limited access for non-root to process table ,only root
see all process and have access to their entries in proc filesystem.
Permission to directories in proc filesystem is changed
to 550 (dr-xr-x---) .Non-root users can only see own proceses.
some example :
from root console :
pc1:~# ps ax
PID TT STAT TIME COMMAND
0 ?? DLs 0:00.01 (swapper)
1 ?? ILs 0:00.17 /sbin/init --
2 ?? DL 0:03.64 (pagedaemon)
3 ?? DL 0:00.00 (vmdaemon)
4 ?? DL 0:00.01 (bufdaemon)
5 ?? DL 0:00.54 (syncer)
25 ?? Is 0:00.00 adjkerntz -i
[...]
from user :
pc1:~$ ps ax
PID TT STAT TIME COMMAND
154 v3 Ss 0:00.17 -bash (bash)
406 v3 R+ 0:00.00 ps ax
Restricted who/w/last
*---------------------------------------------------*
Restricted who/w/last gives limited access to utmp/wtmp entries.
Users can see only own login to system (no group like w_all,w_grp) ,
but if user is added to group w_grp can see own and group login .
Group w_all is for trusted users that have full read access to utmp/wtmp .
for example :
from root console :
pc1:~# who
root ttyv0 Sep 27 21:32
root ttyv1 Sep 27 20:20
y3t1 ttyp1 Sep 27 22:06 (100.0.0.2)
blah ttyp2 Sep 27 20:30 (195.17.21.113)
lump ttyp5 Sep 20 13.56 (63.30.55.243)
from non-root console
pc1:~$ who
y3t1 ttyp1 Sep 27 22:06 (100.0.0.2)
from non-root console if user is added to group w_all
pc1:~$ who
root ttyv0 Sep 27 21:32
root ttyv1 Sep 27 20:20
y3t1 ttyp1 Sep 27 22:06 (100.0.0.2)
blah ttyp2 Sep 27 20:30 (195.17.21.113)
plum ttyp5 Sep 20 13.56 (63.30.55.243)
from non-root console if user is added to group w_grp
pc1:~$ who
y3t1 ttyp1 Sep 27 22:06 (100.0.0.2)
blah ttyp2 Sep 27 20:30 (195.17.21.113)
plum ttyp5 Sep 20 13.56 (63.30.55.243)
Commands w/last are restricted with similar way .
How to Install
*---------------------------------------------------*
De-tar rna archive
tar xvzf rna.tar.gz
and run
cd RnA/
./RnA
cd /sys/compile/your_kernel_name/
make config
make
make install
cd /usr/src/usr.bin/who
make
make install
cd /usr/src/usr.bin/w
make
make install
cd /usr/src/usr.bin/last
make
make install
Check permission to who/w/last (need sgid uwtmp group) and reboot your system .
How to get
*---------------------------------------------------*
New version of rna you can get from :
ftp://ftp.eth-security.net/pub/rna.tar.gz
http://www.eth-security.net/files/rna.tar.gz
http://rast.lodz.pdi.net/~y3t1/rna.tar.gz
Greets
*---------------------------------------------------*
vx@mtl.pl - inspirate me to write this patches
z33d@eth-security.net - b00m b00m b00m ... dawac pieniadze
Admins from
Institute of Physics(Wroclaw) - for testing patches and good diners
all on :
#sigsegv@ircnet : z33d,funkySh,Kris,detergent,crashkill,cliph,xfer
and other cool guys
rastlin,tmoggie,Shadow,Trolinka,lcamtuf,kodzak,venglin,spaceman
----- End forwarded message -----
--
Crist J. Clark cjclark@alum.mit.edu
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001004084729.C25121>