casper at camelot
Nov 17, 2004, 8:22 AM
Post #1 of 2
By enabling the /proc restrictions in grsec users (among other things) cannot
view who is logged in with w:
[10:13:39] casper [at] camelo:[~]$ w
10:13:40 up 40 days, 15:48, 4 users, load average: 0.28, 0.26, 0.10
USER TTY LOGIN@ IDLE JCPU PCPU WHAT
[10:13:40] casper [at] camelo:[~]$
however, this can easily be bypassed with who:
[10:13:40] casper [at] camelo:[~]$ who
casper vc/5 Nov 12 07:28
casper pts/696 Nov 1 15:57
casper pts/1007 Nov 16 15:25 (work)
casper pts/1033 Nov 17 10:13 (work)
[10:14:11] casper [at] camelo:[~]$
While it is true that who will not display the command currently active for
each user, everything else can be viewed from who also.
Couldn't it be possible for grsec to have another option
(restrict /var/run/utmp and /var/log/wtmp) ? Users don't need neither read
nor write access (the logging done in the files is done at login).
Just a thought...:)
In Linux We TrUsT !
gentoo-hardened [at] gentoo mailing list