Subject: Re: Restricting kern.proc* access
To: None <tech-kern@netbsd.org>
From: Christos Zoulas <christos@zoulas.com>
List: tech-kern
Date: 10/17/2001 20:40:31
In article <20011017213051.A12053@nitric.net>, <xs@nitric.net> wrote:
>
>Hi,
>I have had my first attempt at writing something relatively useful
>for the NetBSD kernel. I would really appreciate any comments, and
>also any advice as to whether I should do anything with this code
>other than use it myself, and if so, what.
>
>The patches introduce two new sysctls, kern.restrict_proc and
>kern.restrict_ proc_gid.
>When kern.restrict_proc is set to 1, (it defaults to 0) only root
>and those users in the group specified numerically by
>kern.restrict_proc_gid may view the details of processes they do
>not own. Normal users may only see their own processes.
>
>I believe this patch is useful because it gives users privacy
>from each other whilst at the same time not limiting the genuine
>need for some users (say, system administration staff) to be able
>to see everything that is going on without always becoming the
>superuser. One example where this would be useful is on a shell
>server. (depending on it's policy)
>
>The patches are against 1.5.1, as I have not yet got the -current
>source anywhere. They are available here:
>
>http://nitric.net/~xs/restrict_proc.tar.gz
Is there a real reason to have 2 sysctl variables? You could use -1
in the kern.restrict_proc_gid for the the unrestricted case..
christos