From owner-freebsd-questions@FreeBSD.ORG Wed Apr 2 15:34:46 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 6A57E1D4 for ; Wed, 2 Apr 2014 15:34:46 +0000 (UTC) Received: from email2.allantgroup.com (email2.emsphone.com [199.67.51.116]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 2A2A3F4F for ; Wed, 2 Apr 2014 15:34:45 +0000 (UTC) Received: from dan.emsphone.com (dan.emsphone.com [172.17.17.101]) by email2.allantgroup.com (8.14.7/8.14.7) with ESMTP id s32FU0Re058255 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 2 Apr 2014 10:30:00 -0500 (CDT) (envelope-from dan@dan.emsphone.com) Received: from dan.emsphone.com (smmsp@localhost [127.0.0.1]) by dan.emsphone.com (8.14.7/8.14.6) with ESMTP id s32FTxvQ073150 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 2 Apr 2014 10:29:59 -0500 (CDT) (envelope-from dan@dan.emsphone.com) Received: (from dan@localhost) by dan.emsphone.com (8.14.8/8.14.7/Submit) id s32FTubB073147; Wed, 2 Apr 2014 10:29:56 -0500 (CDT) (envelope-from dan) Date: Wed, 2 Apr 2014 10:29:56 -0500 From: Dan Nelson To: Daniel Corbe Subject: Re: Disable w / who Message-ID: <20140402152956.GA23453@dan.emsphone.com> References: <20140402034019.A9BE1608AE@smtp.hushmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-OS: FreeBSD 9.2-STABLE User-Agent: Mutt/1.5.23 (2014-03-12) X-Virus-Scanned: clamav-milter 0.98.1 at email2.allantgroup.com X-Virus-Status: Clean X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (email2.allantgroup.com [172.17.19.78]); Wed, 02 Apr 2014 10:30:01 -0500 (CDT) X-Spam-Status: No, score=-3.9 required=5.0 tests=ALL_TRUSTED,BAYES_00, RP_MATCHES_RCVD,URIBL_BLOCKED autolearn=ham version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on email2.allantgroup.com X-Scanned-By: MIMEDefang 2.73 Cc: "Kenta S." , freebsd-questions@freebsd.org X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Apr 2014 15:34:46 -0000 In the last episode (Apr 02), Daniel Corbe said: > "Kenta S." writes: > > Hi. On a multiuser system, is it possible to disable access to the "w" > > and "who" commands? I'd rather all the users not be able to see each > > other's IP addresses. > > chmod og-rx /usr/bin/who && chmod og-rx /usr/bin/w Also remember to remove /var/run/utx.active, /var/log/utx.*, the netstat, sockstat, and lsof commands, plus gcc, clang, and any ability to upload executables :) Unixes weren't really designed for information-hiding at the level you're looking for. An alternative might be to do some sort of inbound NAT outside the box itself, so that all incoming TCP sessions get NAT'ted to an internal IP before hitting your server. -- Dan Nelson dnelson@allantgroup.com