> Menno Lageman wrote: >> Dennis Clarke wrote: >>> >>> I personally have always wondered why the ps command display what >>> root is >>> doing to ordinary users like as if it is any of their business but that >>> is another idea I just let rattle around in my head. >>> >> >> Dennis, >> >> You can do this (in Solaris 10 and up) by taking away the proc_info >> privilege from a user. >> >> $ ppriv -vl proc_info >> proc_info >> Allows a process to examine the status of processes other >> than those it can send signals to. Processes which cannot >> be examined cannot be seen in /proc and appear not to exist. >> >> To take away proc_info from user xyz you would add the following entry >> to /etc/user_attr: >> >> xyz::::defaultpriv=basic,!proc_info > > And the less you can do as a normal user, the more people will be > tempted to run as root all the time. Life (and hence security) is full > of these little tradeoffs.
No Sir, I don't think so. I would simply employ more of the RBAC features and perhaps create a user called admin with considerable influence as well as enable *some* of the audit features in Solaris. One has to be careful with that however as you can fill a disk with audit logs daily on a busy server. People, ordinary users, do NOT ever need to be root. Dennis Clarke _______________________________________________ opensolaris-discuss mailing list opensolaris-discuss@opensolaris.org
