Subject: Restricting kern.proc* access
To: None <tech-kern@netbsd.org>
From: None <xs@nitric.net>
List: tech-kern
Date: 10/17/2001 21:30:51
Hi,
I have had my first attempt at writing something relatively useful
for the NetBSD kernel. I would really appreciate any comments, and
also any advice as to whether I should do anything with this code
other than use it myself, and if so, what.

The patches introduce two new sysctls, kern.restrict_proc and
kern.restrict_ proc_gid.
When kern.restrict_proc is set to 1, (it defaults to 0) only root
and those users in the group specified numerically by
kern.restrict_proc_gid may view the details of processes they do
not own. Normal users may only see their own processes.

I believe this patch is useful because it gives users privacy
from each other whilst at the same time not limiting the genuine
need for some users (say, system administration staff) to be able
to see everything that is going on without always becoming the
superuser. One example where this would be useful is on a shell
server. (depending on it's policy)

The patches are against 1.5.1, as I have not yet got the -current
source anywhere. They are available here:

http://nitric.net/~xs/restrict_proc.tar.gz