Hello,
> Suggestions like restricting access to /proc were named, but there > were few suggestions on how to properly implement this. > > Personally I'm a bit sceptic towards this kind of security through > obscurity, but I am hoping some of the readers of this list might have > some input on this. > > Does hiding process give a false sense of security? Is it worth the > effort? What problems can one run into by for example restricting > access to /proc? Are there better ways to hide process information > from users? > > Any input is well appreciated. I have some experience with having /proc hidden through the use of chrooted login environments. Hiding /proc is trivial in a chroot environment, just do nothing when you create the environment -- you have to take some extra effort to make it available (by mounting it in the chroot). The problem with this is that some applications need to see what is in /proc in order to work properly. This may or not be a problem, depending upon what you are trying to accomplish in your chroot space and what you want to allow to run there. Obvious applications are 'ps' and related programs, but other applications use /proc as well (I discovered that Cocoon2 does this, so a chrooted web server that uses Cocoon2 needs to mount /proc). In my opinion, the bottom line is that its not too hard to set up an environment that cannot see /proc, but its not always practical and shouldn't be relied upon in order to maintain security. Skip -- Dr. Everett (Skip) Carter Phone: 831-641-0645 FAX: 831-641-0647 Taygeta Scientific Inc. INTERNET: [EMAIL PROTECTED] 1340 Munras Ave., Suite 314 WWW: http://www.taygeta.com Monterey, CA. 93940
