Re: Boost OpenBSD security - Zophie for 3.9

Mon, 03 Jul 2006 03:52:58 -0700 

At 07:18 2006-07-03, you wrote:

On 7/2/06, Marcin Wilk <[EMAIL PROTECTED]> wrote:

At 22:35 2006-07-02, you wrote:
>On Sun, Jul 02, 2006 at 12:20:49PM -0700, Greg Thomas wrote:
> > On 7/2/06, Tobias Ulmer <[EMAIL PROTECTED]> wrote:
> >> On Sun, Jul 02, 2006 at 03:13:59PM +0200, Tomasz Zielinski wrote:
> >>> Hello,
> >>>
> >>> Zophie is patch that contains new security features for OpenBSD 3.9. BSD 
> >>> license. I have not tested it personaly, but probably it's worth to
> >>> analyze it and maybe even incorporate. More info:
> >>> http://www.0penbsd.com/zophie.html, http://akcja.0penbsd.com/zosia/
> >>>
> >> I normally don't take the bait, but this one is so cute...
> >>
> >> After reading through the diffs: (not supplied for added obfusication?)
> >>
> >> - add a new sysctl to the kernel.
> >> - patch some userland tools.
> >> - If this sysctl is set, supress certain information.
> >>
> >> Rocket sience! Even the dumbest scriptkiddie could just compile
> >> and run these tools from the original OpenBSD sources.
> >>
> >> Probably the whole "Polish Underground Group profess OpenBSD OS as a
> >> religion" is a big subtle joke? If so, well done and thanks for the good 
> >> laugh :)
> >
> > If it is a subtle joke I sure like the screenshots of the install.
>
>However, note that the page is quite frank about what is being done,
>from the web page quoted above:
>
>- kern.zophie.privacy
>   This setting is responsible for process privacy in finger, last,
>netstat, ps, users, w, and who.
>   Value 1 turns on this feature.
>
>This, obviously, still doesn't make it very useful (if only because,
>even after you've mounted everything noexec, you still have top, and so
>on and so forth) - but the above should be enough to arouse suspicion.
>
>                 Joachim

Process privacy itself is done in kernel so top & other tools (like
lsof for example) will not work.
Ps, users, w & who are pathed to not show other users that are in &
this is independent with process privacy.

You may find OpenBSD that is on screenshots here:
http://nicram.sytes.net/openbsd/openbsd-3.9-i386-zophie.iso
It is extactly same OpenBSD.
& yes it is very easy to make it on Your own :) This is how KISS apps
should be made, even when they change something in kernel :)

Best Regards


Do I understand correctly I could just cvs co usr/bin/who and use the
official who and see who is online?


Yes because only process privacy is done in kernel.

Reply via email to