DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 8th June 2008
mike mike is offline
New User
 
Join Date: Jun 2008
Posts: 1
Default chmods for users & hiding processes

Hello!
I couldn't find any solution to my problems, so I'm asking there:

1. How should I set chmods for filesystem (/etc, /usr/, /var/, etc.) to hide contents of those folders for users, but to make it possible to execute such commands like uptime, uname, date, etc.

2. What should I do to hide non-user's processes? I mean users will only be able to display the processes that are owned by that user. In FreeBSD I have added 'security.bsd.see_other_uids=0' in /etc/sysctl.conf and that was everything, but how can I do this in OpenBSD?
Reply With Quote
  #2   (View Single Post)  
Old 8th June 2008
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

These sorts of questions has been asked again and again over the years; searching the misc@ archives will give you an idea of just how many times.

The short answer is that you cannot "hide" files required for functionality without damaging or eliminating function. This is OpenBSD, where there is no reason to do so.

Even processes in a chrooted subsystem (where each process could have private copies of /etc, /usr, and /var) share memory. ps(1) and similar tools can be used to obtain information about running processes, regardless.

Longer answers can be found in the archives, where users have posted examples of modifications to ps(1) and other userland applications... it was pointed out to them that if a shell user can transfer data, the the shell user can transfer standard binaries and use them anyway.

Many users do not install the compiler fileset on computers they wish to keep "extra secure" -- thinking that if an attacker reached a shell, they would not be able to compile removed utilities, or perhaps even rootkits. These users do not seem to realize that, if an attacker can reach a shell, the attacker can probably bring binaries or even compilers along with them.
Reply With Quote
  #3   (View Single Post)  
Old 12th June 2008
cursedcompiler cursedcompiler is offline
New User
 
Join Date: Jun 2008
Posts: 7
Default

standard unix filesystem permissions should be adequate to protect a system from its users (the defaults on OpenBSD are good enough), but if you're really paranoid, you should run NetBSD (has veriexec, per user /tmp and a security.curtain sysctl) or FreeBSD (has a complete MAC framework and lots of other goodies from the TrustedBSD project); on OpenBSD, you can always tighten the filesystem permissions some more, or slap immutable flags on files, or mount partitions read-only, or chroot your users in their own environment (lots of work, if you want to do that)...
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Prevent users from using proxy bichumo General software and network 8 20th April 2009 01:00 PM
See processes on other servers? biscuits FreeBSD General 2 20th January 2009 04:15 AM
ftpd and hiding . files crofox OpenBSD Packages and Ports 5 26th June 2008 03:01 AM
DMZ for two networks users... maurobottone OpenBSD Security 6 2nd June 2008 02:57 PM
TeX for troff users? DrJ Off-Topic 0 2nd May 2008 09:29 PM


All times are GMT. The time now is 03:22 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick