Date: Thu, 09 Sep 1999 14:10:07 -0500 From: Chris Costello <chris@calldei.com> To: Mike Pritchard <mpp@FreeBSD.ORG> Cc: Gustavo V G C Rios <grios@ddsecurity.com.br>, freebsd-hackers@FreeBSD.ORG Subject: Re: CS Project Message-ID: <19990909141007.D1834@holly.calldei.com> In-Reply-To: <199909091119.GAA04543@mpp.pro-ns.net> References: <19990908203812.A98739@holly.calldei.com> <199909091119.GAA04543@mpp.pro-ns.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Sep 09, 1999, Mike Pritchard wrote:
> I used to work somewhere where we didn't wany any of the users
> to know anything about any other groups of users processes.
> We did this by restricting ps to only show other procs that
> had the same primary group as the person executing ps.
> Root and group wheel (or some equivalent) could always see
> all running procs. You could always go hunting through the
> file systems, but their own directory permissions were their problem,
> not ours.
It would be trivial, in FreeBSD. Simply hack a few lines of
VFS code in procfs to change permissions from
(S_IRUSR | S_IRGRP | S_IROTH | S_IXUSR | S_IXGRP | S_IXOTH)
to
(S_IRUSR | S_IRGRP | S_IXUSR | S_IXGRP)
^^^^^^^ ^^^^^^^
Optional; if you don't want people in the same group
seeing processes, do not use these permissions.
I haven't looked into it, but it should be rather trivial, if
such security is important.
> -Mike
> --
> Mike Pritchard
> mpp@FreeBSD.org or mpp@mpp.pro-ns.net
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-hackers" in the body of the message
--
|Chris Costello <chris@calldei.com>
|Feet Smell? Nose Run? Hey, you're upside down!
`-------------------------------------------------
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990909141007.D1834>