Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 3 Apr 2002 19:15:53 +1200 (NZST)
From:      Andrew McNaughton <andrew@scoop.co.nz>
To:        "N. J. Cash" <ncash@pei.eastlink.ca>
Cc:        Jason Stone <jason@shalott.net>, Jesper Wallin <z3l3zt@phucking.kicks-ass.org>, <security@FreeBSD.ORG>
Subject:   Re: Stop usage of "who"?
Message-ID:  <20020403190942.D92128-100000@a2>
In-Reply-To: <002301c1da7f$629f66c0$6401a8c0@router.unknown.ca>

next in thread | previous in thread | raw e-mail | index | archive | help

Has anyone developed tools for managing software updates over a large
numbers of jails.  I'm thinking along the lines of freevsd (that is a
'v').

Also (related) is NFS ever likely to play nicely with jails, and what
alternatives are there for providing access to a shared read only file
area for things like ports, packages and recently built FreeBSD
source/object files.

Andrew McNaughton




On Tue, 2 Apr 2002, N. J. Cash wrote:

> Date: Tue, 2 Apr 2002 15:48:38 -0400
> From: N. J. Cash <ncash@pei.eastlink.ca>
> To: Jason Stone <jason@shalott.net>,
>      Jesper Wallin <z3l3zt@phucking.kicks-ass.org>
> Cc: security@FreeBSD.ORG
> Subject: Re: Stop usage of "who"?
>
> As far as trying to chmod permissions on files I would recomend that you
> check out and use *jail* instead.
> Jail can be a little tricky to get going but it's a nice way to limit users
> to basically no or customized shell access commands.
> It can also prevent a cd .. to /home *so no looking around!*
>
> In FreeBSD *man jail* is a little funky to understand, i'd try a google
> search about it for some more detailed info..
>
> It'll work perfectly if you have the time and patience to do it : )
>
> Here's some info on quotas if you never seen it yet..
>
> http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/quotas.html
>
>
> ----- Original Message -----
> From: Jason Stone
> To: Jesper Wallin
> Cc: security@FreeBSD.ORG
> Sent: Tuesday, April 02, 2002 4:05 AM
> Subject: Re: Stop usage of "who"?
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> > Now I want to stop usage of commands like w, who and users.. I guess
> > it must be able to change somewhere in the proc dir instead of
> > changing the permissons on all the executables..
>
> Most daemons/programs that log you in write a record into utmp/wtmp when
> they do so, and who(1) _et al_ just read utmp and print out whatever is in
> it.
>
> So to make this machanism fail, it is sufficient to either stop the
> writing to utmp/etc, or to stop the reading of utmp/etc.
>
> The files in question are (from /usr/include/utmp.h):
> #define _PATH_UTMP      "/var/run/utmp"
> #define _PATH_WTMP      "/var/log/wtmp"
> #define _PATH_LASTLOG   "/var/log/lastlog"
>
> Making all these files mode 600 would allow who(1) to be run normally by
> root but fail for normal users.  Also remember to change newsyslog.conf so
> that the restrictive permissions will get preservers when the files get
> rotated.
>
>
> Note that users will still be able to see some information about other
> users.  netstat(1), for example, will show users all open network
> connections, vmstat(8) will allow users to see if someone is working at
> the physical console, etc.
>
>
> > Another thing I want to do (if it's possible) is to add a default
> > quota.. like, all new users who's being added will have about 500Mb of
> > disk space..
>
> quotas are discussed in detail in section 12.5 of the handbook - check
> that out and then mail freebsd-questions if you have specific questions.
> If you're wondering strictly about setting the default when you create
> users, well then it depends on how you're creating the users, and there
> are many approaches you can take depending on your needs.  wrapping pw(8)
> with a shell or perl script and running another script from cron to check
> that all users have a quota is the approach I'd take.
>
>
>  -Jason
>
>  -----------------------------------------------------------------------
>  I worry about my child and the Internet all the time, even though she's
>  too young to have logged on yet.  Here's what I worry about.  I worry
>  that 10 or 15 years from now, she will come to me and say "Daddy, where
>  were you when they took freedom of the press away from the Internet?"
> -- Mike Godwin
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (FreeBSD)
> Comment: See https://private.idealab.com/public/jason/jason.gpg
>
> iD8DBQE8qWYzswXMWWtptckRAtsaAKC4K3omxAaymOrfSakae1dbL0XDwACgtACu
> ig/YFCB7SkvzPjoP7x4ziHg=
> =cgJ2
> -----END PGP SIGNATURE-----
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020403190942.D92128-100000>