Sysctls and privacy
schultz at ime.usp.br
schultz at ime.usp.br
Fri Oct 12 13:08:30 UTC 2012
In my system I use separate user accounts for running untrusted
programs at the moment. While many will probably argue that jails
are a superior solution, in my specific case its the inverse.
I know FreeBSD is not ready by default to have multiple untrusted
users in the system, at least from a security viewpoint. I have
done quite a bit of changes to make the situation better.
However, there is something bugging me. Some sysctls apparently
expose too much information about the system. Some examples: the
number of context switches, the number of forks, the total used
memory (at the byte level), the total used space for each file
system (at the byte level) and even a graph of how my GEOM devices
are organized!
I know some programs like gkrellm need this information to function,
but on the other hand, I feel pretty uncomfortable with the
information presented by gkrellm being logged. It's at the very least
a loss of privacy.
So, I would like to ask for a way to disable user access to all
sysctls that are not needed by basic user programs (shell, terminal, etc).
Also, if possible, I would like to have a group of users to whom
these sysctls are accessible as an exception (to run gkrellm).
Thanks for your time.
More information about the freebsd-questions
mailing list