Date: Tue, 29 Mar 2005 21:35:28 +0200 From: Miguel Mendez <flynn@energyhq.es.eu.org> To: "H. S." <security@revolutionsp.com> Cc: freebsd-hackers@freebsd.org Subject: Re: A few thoughts.. Message-ID: <20050329213528.59dab2e2.flynn@energyhq.es.eu.org> In-Reply-To: <61910.81.84.174.37.1112123946.squirrel@mail.revolutionsp.com> References: <61910.81.84.174.37.1112123946.squirrel@mail.revolutionsp.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--Signature=_Tue__29_Mar_2005_21_35_28_+0200_.E0Fc9_bWDttBM9d Content-Type: text/plain; charset=US-ASCII Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, 29 Mar 2005 13:19:06 -0600 (CST) "H. S." <security@revolutionsp.com> wrote: > [USERNAME@SERVER:/home/USERNAME]$ ./dmesg > Copyright (c) 1992-2004 The FreeBSD Project. > Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 [...] > real memory =3D 83886080 (80 MB) > avail memory =3D 72318976 (68 MB) > My "USERNAME" account doesn't have access to /sbin/dmesg, but I uploaded a > /sbin/dmesg from a 5.2.1-RELEASE to a 5.3-STABLE box, and then I could > have access to this system information. The same goes for systat , vmstat, > and all these commands that (most people think) shouldn't be available for > regular users. If you don't want users to run random binaries put /home and /tmp on their own partitions and mount them noexec. Also note that users can still read that info by accessing /var/log/messages and /var/run/ dmesg.boot > Shouldn't this information be protected at kernel level? Am I missing > something I can do about this ? Because this method works with everything > that ressembles permissions in order to hide system information that can > be obtained without root privileges. Sounds like security through obscurity to me. If you don't trust your shell users put them in a jail, where any bad behaviour can be contained. > If you can't trust your logs.. This also poses another problem, with a > little patience, one can fill up /var. =20 > Lastly, anyone knows if FreeBSD is getting systrace support ? I think of > it as a major drawback in the security field, one can do very interesting > things with systrace. Added with other freebsd features (jails, etc), it > makes a very good security tool. Have a look at mac(3), mac(4) and mac.conf(5), it's not systrace but you ca= n achieve similar results. Cheers, --=20 Miguel Mendez <flynn@energyhq.es.eu.org> http://www.energyhq.es.eu.org PGP Key: 0xDC8514F1 --Signature=_Tue__29_Mar_2005_21_35_28_+0200_.E0Fc9_bWDttBM9d Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (FreeBSD) iD8DBQFCSa4EnLctrNyFFPERAh27AJwP7eViE+d9CTZ1/2EBvJ5TnIYP9wCgrX3i seDsr1QRgxYT8Fa7tz8XGGY= =qd62 -----END PGP SIGNATURE----- --Signature=_Tue__29_Mar_2005_21_35_28_+0200_.E0Fc9_bWDttBM9d--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050329213528.59dab2e2.flynn>