:: Re: [DNG] Another multi-user issue
Page principale
Supprimer ce message
Répondre à ce message
Auteur: Trond Arild Ydersbond
Date:  
À: Jack L. Frost, Boruch Baum
CC: dng@lists.dyne.org
Nouveaux-sujets: [DNG] Building xorg-xvfb with vdev
Sujet: Re: [DNG] Another multi-user issue




Jack L. Frost <fbt@???>:
>On Sun, Apr 03, 2016 at 08:17:32PM -0400, Boruch Baum wrote:


>> Please consider setting the default /etc/fstab to include:
>>
>> proc            /proc           proc    defaults,hidepid=2

>>
>> This has the effect of keeping the specific activities, process ids,
>> command lines and parameters of a user from other users.


>I've been using hidepid=2 as a default in my toy distro and haven't found a
>usecase where that would be a bad default. So unless there are common enough
>usecases where users need to see others' processes, I agree.




In all cases of server use I have encountered, it has been important to see all processes running every now and then. For example, running SAS on a common server, I regularly need to know what's going on. And with a few hundred users, there isn't much sense in walking around asking them.

But if you ask a manufacturer of trojans, I'm sure he will say hiding processes is a very important security feature. Admin resources are often scarce, and in practice, much of the daily monitoring is done by ordinary users. Giving them su/root privileges just to watch some processes is surely not going to help overall security.

More generally, I think the productive way to proceed is to ask: Which of the Unix defaults lead to severe problems in practice? And when such are identified, find out if they should change, or if the better solution is to issue alerts (in manpages for example) and make it easy to tighten up the system.