Disable w / who

[Devin Teske]

> -----Original Message-----
> From: Dan Nelson [mailto:dnelson at allantgroup.com]
> Sent: Wednesday, April 2, 2014 8:30 AM
> To: Daniel Corbe
> Cc: Kenta S.; freebsd-questions at freebsd.org
> Subject: Re: Disable w / who
> 
> In the last episode (Apr 02), Daniel Corbe said:
> > "Kenta S." <kentas at hush.com> writes:
> > > Hi. On a multiuser system, is it possible to disable access to the "w"
> > > and "who" commands?  I'd rather all the users not be able to see
> > > each other's IP addresses.
> >
> > chmod og-rx /usr/bin/who && chmod og-rx /usr/bin/w
> 
> Also remember to remove /var/run/utx.active, /var/log/utx.*, the netstat,
> sockstat, and lsof commands, plus gcc, clang, and any ability to upload
> executables :)  Unixes weren't really designed for information-hiding at
the
> level you're looking for.
> 
> An alternative might be to do some sort of inbound NAT outside the box
> itself, so that all incoming TCP sessions get NAT'ted to an internal IP
before
> hitting your server.
> 

What about the TrustedBSD Mandatory Access Controll (MAC) framework?
mac(3) mac(4) mac(9) mac.conf(5) mac_seeotheruids(4)

Specifically mac_seeotheruids(4) - simple policy controlling whether users
see other users
-- 
Devin

> --
> 	Dan Nelson
> 	dnelson at allantgroup.com
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-
> unsubscribe at freebsd.org"

_____________
The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you.