A brief look at FreeBSD

(yorickpeterse.com)

125 points todsacerdoti | 1 comments | 12 Nov 25 12:10 UTC | HN request time: 0.204s | source

Show context

Klonoar ◴[12 Nov 25 21:23 UTC] No.45906924[source]▶

> For a server there's no reason for user A to be able to see processes of user B.

I'm not sure about that. This isn't FreeBSD specific so it's a bit tangential, but I've certainly debugged systems where someone thought it appropriate to run their intensive job on a live box (mind boggling, yes). Seeing it smack dab under their name is kind of important.

Am I missing something?

replies(1): >>45908032 #

bartekrutkowski ◴[12 Nov 25 22:52 UTC] No.45908032[source]▶

>>45906924 #

This is about unprivileged users - privileged ones can see everything. The idea is to make figuring out what's the surface of the attack harder (for those attackers who are less than skilled) by making it less obvious that 10 years old game server process is running on this OS.

replies(1): >>45908581 #

1. toast0 ◴[12 Nov 25 23:51 UTC] No.45908581[source]▶

>>45908032 #

The sysctls affect all non-root users. If you have them set, you have to do all the admin work as root.

If you have them unset, you can login to the server as you, see what your service user is up to, and only have to do interventions as the service user or root depending.

If you don't want your service to see what else is going on on the server, you can put it in a jail and not allow jailed processes to see out; not a bad idea to do that anyway, although it does mean starting the service needs root when it likely wouldn't otherwise (you can drop the high priviledged port to 79 and then your service can listen on port 80 without root)

↑