From owner-freebsd-hackers Mon Aug 14 1: 0:50 2000 Delivered-To: freebsd-hackers@freebsd.org Received: from ns1.ovis.net (ns1.ovis.net [207.0.147.2]) by hub.freebsd.org (Postfix) with ESMTP id 28F8937BD4B for ; Mon, 14 Aug 2000 01:00:43 -0700 (PDT) (envelope-from chromexa@ovis.net) Received: from ovis.net (s22.pm5.ovis.net [207.0.147.89]) by ns1.ovis.net (8.9.3/8.9.3) with ESMTP id EAA16733; Mon, 14 Aug 2000 04:00:02 -0400 Message-ID: <3997A8E9.5C17BF89@ovis.net> Date: Mon, 14 Aug 2000 04:08:09 -0400 From: Steve Kudlak Reply-To: chromexa@ovis.net X-Mailer: Mozilla 4.5 [en]C-CCK-MCD ezn/58/n (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Maxime Henrion Cc: freebsd-hackers@FreeBSD.ORG Subject: Re: limit processes that a user can 'see' References: <39970D08.4BA72541@qualys.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Maxime Henrion wrote: > Hello, > > I have an idea that I would love to see applied in FreeBSD source code, > but as I'm not skilled enough to code it, I post it to see if you think > it makes sense, and if someone would be interested in coding this. It is > a security measure regarding 'ps' command. > > By using the 'ps' command, any user logged in the system can view all > the running processes, including root's one and processes of other > users. My idea is to limit a bit this behaviour. > > Through a sysctl variable, the root could restrict the list of > "readable" processes. By readable, I mean that it can be viewed. For > example, a value of 0 could mean no restriction, 1 would hide root > processes, 2 would restrict the visible processes to the processes > owned by users in the same group as the current user, and finally, 3 > would restrict the processes list to those owned by the current user > (this is the way I'd have done it if I was able to). > > Of course, there would be no limitation for the superuser. > > The modification must be done at a low enough level so that a user won't > be able to bypass this security measure by compiling another 'ps' so > patching 'ps' doesn't suffise (in fact, if it was, I would have done it > :-). > > What do you all think of this ? > > Best regards, > > Maxime Henrion > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-hackers" in the body of the message I think it is fascist, butit's your system. Have Fun, Sends Steve P.S.Known to to run wth at.deny and cron.deny set to known one with no trouble. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message