Re: Stop usage of "who"?

From: Andrew McNaughton (andrew@scoop.co.nz)
Date: 04/03/02 

Date: Wed, 3 Apr 2002 19:15:53 +1200 (NZST)
From: Andrew McNaughton <andrew@scoop.co.nz>
To: "N. J. Cash" <ncash@pei.eastlink.ca>

Has anyone developed tools for managing software updates over a large
numbers of jails. I'm thinking along the lines of freevsd (that is a
'v').

Also (related) is NFS ever likely to play nicely with jails, and what
alternatives are there for providing access to a shared read only file
area for things like ports, packages and recently built FreeBSD
source/object files.

Andrew McNaughton

On Tue, 2 Apr 2002, N. J. Cash wrote:

> Date: Tue, 2 Apr 2002 15:48:38 -0400
> From: N. J. Cash <ncash@pei.eastlink.ca>
> To: Jason Stone <jason@shalott.net>,
> Jesper Wallin <z3l3zt@phucking.kicks-ass.org>
> Cc: security@FreeBSD.ORG
> Subject: Re: Stop usage of "who"?
>
> As far as trying to chmod permissions on files I would recomend that you
> check out and use *jail* instead.
> Jail can be a little tricky to get going but it's a nice way to limit users
> to basically no or customized shell access commands.
> It can also prevent a cd .. to /home *so no looking around!*
>
> In FreeBSD *man jail* is a little funky to understand, i'd try a google
> search about it for some more detailed info..
>
> It'll work perfectly if you have the time and patience to do it : )
>
> Here's some info on quotas if you never seen it yet..
>
> http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/quotas.html
>
>
> ----- Original Message -----
> From: Jason Stone
> To: Jesper Wallin
> Cc: security@FreeBSD.ORG
> Sent: Tuesday, April 02, 2002 4:05 AM
> Subject: Re: Stop usage of "who"?
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> > Now I want to stop usage of commands like w, who and users.. I guess
> > it must be able to change somewhere in the proc dir instead of
> > changing the permissons on all the executables..
>
> Most daemons/programs that log you in write a record into utmp/wtmp when
> they do so, and who(1) _et al_ just read utmp and print out whatever is in
> it.
>
> So to make this machanism fail, it is sufficient to either stop the
> writing to utmp/etc, or to stop the reading of utmp/etc.
>
> The files in question are (from /usr/include/utmp.h):
> #define _PATH_UTMP "/var/run/utmp"
> #define _PATH_WTMP "/var/log/wtmp"
> #define _PATH_LASTLOG "/var/log/lastlog"
>
> Making all these files mode 600 would allow who(1) to be run normally by
> root but fail for normal users. Also remember to change newsyslog.conf so
> that the restrictive permissions will get preservers when the files get
> rotated.
>
>
> Note that users will still be able to see some information about other
> users. netstat(1), for example, will show users all open network
> connections, vmstat(8) will allow users to see if someone is working at
> the physical console, etc.
>
>
> > Another thing I want to do (if it's possible) is to add a default
> > quota.. like, all new users who's being added will have about 500Mb of
> > disk space..
>
> quotas are discussed in detail in section 12.5 of the handbook - check
> that out and then mail freebsd-questions if you have specific questions.
> If you're wondering strictly about setting the default when you create
> users, well then it depends on how you're creating the users, and there
> are many approaches you can take depending on your needs. wrapping pw(8)
> with a shell or perl script and running another script from cron to check
> that all users have a quota is the approach I'd take.
>
>
> -Jason
>
> -----------------------------------------------------------------------
> I worry about my child and the Internet all the time, even though she's
> too young to have logged on yet. Here's what I worry about. I worry
> that 10 or 15 years from now, she will come to me and say "Daddy, where
> were you when they took freedom of the press away from the Internet?"
> -- Mike Godwin
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (FreeBSD)
> Comment: See https://private.idealab.com/public/jason/jason.gpg
>
> iD8DBQE8qWYzswXMWWtptckRAtsaAKC4K3omxAaymOrfSakae1dbL0XDwACgtACu
> ig/YFCB7SkvzPjoP7x4ziHg=
> =cgJ2
> -----END PGP SIGNATURE-----
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
>

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Relevant Pages

  • FreeBSD 7.0-STABLE Jul 23: panic: ffs_blkfree: freeing free frag
    ... test move of a jail from a FreeBSD 6 box to the FreeBSD 7 server, ... jail with the 3GB image file and restore the data from the FreeBSD 6 box ... CPU: IntelXeonCPU 2.40GHz ... <ACPI PCI bus> on pcib0 ...
    (freebsd-stable)
  • Re: Cross platform building best practices (building 6 on 7)
    ... No dice (and I'm still debugging why since this binutils ... need to bootstrap my dev environment for 6.x development on 7.x. ... One thing we always strive for in FreeBSD is an upgrade path. ... a newer system should be able to run a jail ...
    (freebsd-hackers)
  • Re: Cross platform building best practices (building 6 on 7)
    ... I've done a lot of Googling and scouring the lists about this ... No dice (and I'm still debugging why since this binutils ... One thing we always strive for in FreeBSD is an upgrade path. ... a newer system should be able to run a jail ...
    (freebsd-hackers)
  • Re: Stop usage of "who"?
    ... As far as trying to chmod permissions on files I would recomend that you ... Jail can be a little tricky to get going but it's a nice way to limit users ... In FreeBSD *man jail* is a little funky to understand, ... Here's some info on quotas if you never seen it yet.. ...
    (FreeBSD-Security)
  • RE: freebsd-questions Digest, Vol 174, Issue 4
    ... New kernel and jail (Vladimir) ... lost password caused by drunk admin (Ghirai) ... tproxy on freebsd ...
    (freebsd-questions)
Quantcast