A few thoughts..
Miguel Mendez
flynn at energyhq.es.eu.org
Tue Mar 29 11:35:56 PST 2005
On Tue, 29 Mar 2005 13:19:06 -0600 (CST)
"H. S." <security at revolutionsp.com> wrote:
> [USERNAME at SERVER:/home/USERNAME]$ ./dmesg
> Copyright (c) 1992-2004 The FreeBSD Project.
> Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994
[...]
> real memory = 83886080 (80 MB)
> avail memory = 72318976 (68 MB)
> My "USERNAME" account doesn't have access to /sbin/dmesg, but I uploaded a
> /sbin/dmesg from a 5.2.1-RELEASE to a 5.3-STABLE box, and then I could
> have access to this system information. The same goes for systat , vmstat,
> and all these commands that (most people think) shouldn't be available for
> regular users.
If you don't want users to run random binaries put /home and /tmp on
their own partitions and mount them noexec. Also note that users can
still read that info by accessing /var/log/messages and /var/run/
dmesg.boot
> Shouldn't this information be protected at kernel level? Am I missing
> something I can do about this ? Because this method works with everything
> that ressembles permissions in order to hide system information that can
> be obtained without root privileges.
Sounds like security through obscurity to me. If you don't trust your
shell users put them in a jail, where any bad behaviour can be
contained.
> If you can't trust your logs.. This also poses another problem, with a
> little patience, one can fill up /var.
> Lastly, anyone knows if FreeBSD is getting systrace support ? I think of
> it as a major drawback in the security field, one can do very interesting
> things with systrace. Added with other freebsd features (jails, etc), it
> makes a very good security tool.
Have a look at mac(3), mac(4) and mac.conf(5), it's not systrace but you can achieve
similar results.
Cheers,
--
Miguel Mendez <flynn at energyhq.es.eu.org>
http://www.energyhq.es.eu.org
PGP Key: 0xDC8514F1
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20050329/ebfe2c83/attachment.bin
More information about the freebsd-hackers
mailing list