Subject: Re: Preventative security features?
To: None <tech-security@netbsd.org>
From: Dmitri Nikulin <setagllib@optusnet.com.au>
List: tech-security
Date: 11/13/2004 18:30:47
Sascha Retzki wrote:

>On Sat, Nov 13, 2004 at 04:45:38PM +1100, Dmitri Nikulin wrote:
>  
>
>>One thing that is definitely a very good privacy/security feature is 
>>what FreeBSD implemented that can prevent users seeing the PIDs (or 
>>indeed any info) of processes they don't own, via ps or top or whatever 
>>else. Nobody can argue that this is a Good Thing on a shared shell 
>>server. Whether or not this is easy to implement cleanly is another matter.
>>    
>>
>
>
>
>A question, is that the default behavior or because of their jail-stuff?
>And, heh, what do you say about jails? My impression was that half of the
>effects are "reproduceable" with tools we already have, I end up with "virtual
>servers", so a user logs in via ssh on 192.168.0.2, and it looks like he owns
>the machine, he is root and so on but indeed its just a "chroot'ed and 
>systrace'd working environment" which is represented to the host system as a 
>file.
>
>
>  
>
Even without a full jail the PID walling-off allows just as much access 
to the system, but ensures they have no idea what pids exist and 
certainly not what programs/users are working with them. It's not 
jailing so much as blindfolding.

I'll have to try the chrooting to a vnode thing, sounds like fun. 
Definitely a good way to confuse a newbie. Any tips or guides on the 
procedure?