|
|
|||||||
| OpenBSD Security Functionally paranoid! |
 |
|
|
Thread Tools | Display Modes |
8th June 2008
|
|||
|
|||
chmods for users & hiding processes
Hello!
I couldn't find any solution to my problems, so I'm asking there: 1. How should I set chmods for filesystem (/etc, /usr/, /var/, etc.) to hide contents of those folders for users, but to make it possible to execute such commands like uptime, uname, date, etc. 2. What should I do to hide non-user's processes? I mean users will only be able to display the processes that are owned by that user. In FreeBSD I have added 'security.bsd.see_other_uids=0' in /etc/sysctl.conf and that was everything, but how can I do this in OpenBSD? 
|
|
8th June 2008
|
||||
|
||||
|
These sorts of questions has been asked again and again over the years; searching the misc@ archives will give you an idea of just how many times.
The short answer is that you cannot "hide" files required for functionality without damaging or eliminating function. This is OpenBSD, where there is no reason to do so. Even processes in a chrooted subsystem (where each process could have private copies of /etc, /usr, and /var) share memory. ps(1) and similar tools can be used to obtain information about running processes, regardless. Longer answers can be found in the archives, where users have posted examples of modifications to ps(1) and other userland applications... it was pointed out to them that if a shell user can transfer data, the the shell user can transfer standard binaries and use them anyway. Many users do not install the compiler fileset on computers they wish to keep "extra secure" -- thinking that if an attacker reached a shell, they would not be able to compile removed utilities, or perhaps even rootkits. These users do not seem to realize that, if an attacker can reach a shell, the attacker can probably bring binaries or even compilers along with them. 
__________________
OpenBSD LiveCDs/LiveDVDs
|
|
12th June 2008
|
|||
|
|||
|
standard unix filesystem permissions should be adequate to protect a system from its users (the defaults on OpenBSD are good enough), but if you're really paranoid, you should run NetBSD (has veriexec, per user /tmp and a security.curtain sysctl) or FreeBSD (has a complete MAC framework and lots of other goodies from the TrustedBSD project); on OpenBSD, you can always tighten the filesystem permissions some more, or slap immutable flags on files, or mount partitions read-only, or chroot your users in their own environment (lots of work, if you want to do that)...
|
|
| Thread Tools | |
| Display Modes | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Prevent users from using proxy | bichumo | General software and network | 8 | 20th April 2009 01:00 PM |
| See processes on other servers? | biscuits | FreeBSD General | 2 | 20th January 2009 03:15 AM |
| ftpd and hiding . files | crofox | OpenBSD Packages and Ports | 5 | 26th June 2008 03:01 AM |
| DMZ for two networks users... | maurobottone | OpenBSD Security | 6 | 2nd June 2008 02:57 PM |
| TeX for troff users? | DrJ | Off-Topic | 0 | 2nd May 2008 09:29 PM |
Linear Mode
