Subject: Re: Restricting kern.proc* access
To: None <email@example.com>
From: Christos Zoulas <firstname.lastname@example.org>
Date: 10/17/2001 20:40:31
In article <20011017213051.A12053@nitric.net>, <email@example.com> wrote:
>I have had my first attempt at writing something relatively useful
>for the NetBSD kernel. I would really appreciate any comments, and
>also any advice as to whether I should do anything with this code
>other than use it myself, and if so, what.
>The patches introduce two new sysctls, kern.restrict_proc and
>When kern.restrict_proc is set to 1, (it defaults to 0) only root
>and those users in the group specified numerically by
>kern.restrict_proc_gid may view the details of processes they do
>not own. Normal users may only see their own processes.
>I believe this patch is useful because it gives users privacy
>from each other whilst at the same time not limiting the genuine
>need for some users (say, system administration staff) to be able
>to see everything that is going on without always becoming the
>superuser. One example where this would be useful is on a shell
>server. (depending on it's policy)
>The patches are against 1.5.1, as I have not yet got the -current
>source anywhere. They are available here:
Is there a real reason to have 2 sysctl variables? You could use -1
in the kern.restrict_proc_gid for the the unrestricted case..