:: Re: [DNG] Another multi-user issue
トップ ページ
このメッセージを削除
このメッセージに返信
著者: Trond Arild Ydersbond
日付:  
To: Jack L. Frost, Boruch Baum
CC: dng@lists.dyne.org
新しいトピック: [DNG] Building xorg-xvfb with vdev
題目: Re: [DNG] Another multi-user issue




Jack L. Frost <fbt@???>:
>On Sun, Apr 03, 2016 at 08:17:32PM -0400, Boruch Baum wrote:


>> Please consider setting the default /etc/fstab to include:
>>
>> proc            /proc           proc    defaults,hidepid=2

>>
>> This has the effect of keeping the specific activities, process ids,
>> command lines and parameters of a user from other users.


>I've been using hidepid=2 as a default in my toy distro and haven't found a
>usecase where that would be a bad default. So unless there are common enough
>usecases where users need to see others' processes, I agree.




In all cases of server use I have encountered, it has been important to see all processes running every now and then. For example, running SAS on a common server, I regularly need to know what's going on. And with a few hundred users, there isn't much sense in walking around asking them.

But if you ask a manufacturer of trojans, I'm sure he will say hiding processes is a very important security feature. Admin resources are often scarce, and in practice, much of the daily monitoring is done by ordinary users. Giving them su/root privileges just to watch some processes is surely not going to help overall security.

More generally, I think the productive way to proceed is to ask: Which of the Unix defaults lead to severe problems in practice? And when such are identified, find out if they should change, or if the better solution is to issue alerts (in manpages for example) and make it easy to tighten up the system.