From owner-freebsd-security Tue Apr 2 23:16:14 2002 Delivered-To: freebsd-security@freebsd.org Received: from a2.scoop.co.nz (aurora.scoop.co.nz [203.96.152.68]) by hub.freebsd.org (Postfix) with ESMTP id 1923B37B419 for ; Tue, 2 Apr 2002 23:15:55 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by a2.scoop.co.nz (8.12.2/8.12.2) with ESMTP id g337FrG1092215; Wed, 3 Apr 2002 19:15:53 +1200 (NZST) (envelope-from andrew@scoop.co.nz) Date: Wed, 3 Apr 2002 19:15:53 +1200 (NZST) From: Andrew McNaughton X-X-Sender: andrew@a2 To: "N. J. Cash" Cc: Jason Stone , Jesper Wallin , Subject: Re: Stop usage of "who"? In-Reply-To: <002301c1da7f$629f66c0$6401a8c0@router.unknown.ca> Message-ID: <20020403190942.D92128-100000@a2> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Has anyone developed tools for managing software updates over a large numbers of jails. I'm thinking along the lines of freevsd (that is a 'v'). Also (related) is NFS ever likely to play nicely with jails, and what alternatives are there for providing access to a shared read only file area for things like ports, packages and recently built FreeBSD source/object files. Andrew McNaughton On Tue, 2 Apr 2002, N. J. Cash wrote: > Date: Tue, 2 Apr 2002 15:48:38 -0400 > From: N. J. Cash > To: Jason Stone , > Jesper Wallin > Cc: security@FreeBSD.ORG > Subject: Re: Stop usage of "who"? > > As far as trying to chmod permissions on files I would recomend that you > check out and use *jail* instead. > Jail can be a little tricky to get going but it's a nice way to limit users > to basically no or customized shell access commands. > It can also prevent a cd .. to /home *so no looking around!* > > In FreeBSD *man jail* is a little funky to understand, i'd try a google > search about it for some more detailed info.. > > It'll work perfectly if you have the time and patience to do it : ) > > Here's some info on quotas if you never seen it yet.. > > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/quotas.html > > > ----- Original Message ----- > From: Jason Stone > To: Jesper Wallin > Cc: security@FreeBSD.ORG > Sent: Tuesday, April 02, 2002 4:05 AM > Subject: Re: Stop usage of "who"? > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Now I want to stop usage of commands like w, who and users.. I guess > > it must be able to change somewhere in the proc dir instead of > > changing the permissons on all the executables.. > > Most daemons/programs that log you in write a record into utmp/wtmp when > they do so, and who(1) _et al_ just read utmp and print out whatever is in > it. > > So to make this machanism fail, it is sufficient to either stop the > writing to utmp/etc, or to stop the reading of utmp/etc. > > The files in question are (from /usr/include/utmp.h): > #define _PATH_UTMP "/var/run/utmp" > #define _PATH_WTMP "/var/log/wtmp" > #define _PATH_LASTLOG "/var/log/lastlog" > > Making all these files mode 600 would allow who(1) to be run normally by > root but fail for normal users. Also remember to change newsyslog.conf so > that the restrictive permissions will get preservers when the files get > rotated. > > > Note that users will still be able to see some information about other > users. netstat(1), for example, will show users all open network > connections, vmstat(8) will allow users to see if someone is working at > the physical console, etc. > > > > Another thing I want to do (if it's possible) is to add a default > > quota.. like, all new users who's being added will have about 500Mb of > > disk space.. > > quotas are discussed in detail in section 12.5 of the handbook - check > that out and then mail freebsd-questions if you have specific questions. > If you're wondering strictly about setting the default when you create > users, well then it depends on how you're creating the users, and there > are many approaches you can take depending on your needs. wrapping pw(8) > with a shell or perl script and running another script from cron to check > that all users have a quota is the approach I'd take. > > > -Jason > > ----------------------------------------------------------------------- > I worry about my child and the Internet all the time, even though she's > too young to have logged on yet. Here's what I worry about. I worry > that 10 or 15 years from now, she will come to me and say "Daddy, where > were you when they took freedom of the press away from the Internet?" > -- Mike Godwin > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.6 (FreeBSD) > Comment: See https://private.idealab.com/public/jason/jason.gpg > > iD8DBQE8qWYzswXMWWtptckRAtsaAKC4K3omxAaymOrfSakae1dbL0XDwACgtACu > ig/YFCB7SkvzPjoP7x4ziHg= > =cgJ2 > -----END PGP SIGNATURE----- > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message