Dennis Clarke wrote:
Menno Lageman wrote:
Dennis Clarke wrote:
I personally have always wondered why the ps command display what
root is
doing to ordinary users like as if it is any of their business but that
is another idea I just let rattle around in my head.
Dennis,
You can do this (in Solaris 10 and up) by taking away the proc_info
privilege from a user.
$ ppriv -vl proc_info
proc_info
Allows a process to examine the status of processes other
than those it can send signals to. Processes which cannot
be examined cannot be seen in /proc and appear not to exist.
To take away proc_info from user xyz you would add the following entry
to /etc/user_attr:
xyz::::defaultpriv=basic,!proc_info
And the less you can do as a normal user, the more people will be
tempted to run as root all the time. Life (and hence security) is full
of these little tradeoffs.
No Sir, I don't think so.
I would simply employ more of the RBAC features and perhaps create a user
called admin with considerable influence as well as enable *some* of the
audit features in Solaris. One has to be careful with that however as you
can fill a disk with audit logs daily on a busy server.
People, ordinary users, do NOT ever need to be root.
Well, I wouldn't have been able to do my job on most of the work systems
I've had for the past 30 years without root or equivalent access a lot
of the time. (Not even counting systems where my job included being the
sysadmin.) Software development is like that.
--
David Dyer-Bennet, [EMAIL PROTECTED]; http://dd-b.net/dd-b
Pics: http://dd-b.net/dd-b/SnapshotAlbum,
http://dd-b.net/photography/gallery
Dragaera: http://dragaera.info
_______________________________________________
opensolaris-discuss mailing list
opensolaris-discuss@opensolaris.org
