Disable w / who

Kenta S. kentas at hush.com
Wed Apr 2 15:41:42 UTC 2014

On 04/02/2014 at 11:30 AM, "Dan Nelson" <dnelson at allantgroup.com> wrote:
>Also remember to remove /var/run/utx.active, /var/log/utx.*,
>the netstat, sockstat, and lsof commands, 

"sysctl security.bsd.see_other_uids=0" solves this, doesn't it?
FreeBSD doesn't include lsof.

>plus gcc, clang, and any ability to upload executables :) 

This is easily done with mount options in /etc/fstab.

>Unixes weren't really designed for information-hiding at the
>level you're looking for.

It doesn't have to be perfect and stop everyone, just preventing
regular users from seeing "w" and "who was my goal.

>An alternative might be to do some sort of inbound NAT outside
>the box itself, so that all incoming TCP sessions get NAT'ted to
>an internal IP before hitting your server.

I'll look into doing this with pf, thanks.

More information about the freebsd-questions mailing list