Solved how to disable normal user read all system files in freebsd14.2 ?

fff2024g

fff2024g

Dear all :
i have a freebsd14.2 system. and use command "adduser" to add normal user "a". it's not wheel group.
when i use the "a" user to login freebsd14.2 machine. this account can read all freebsd14.2 configure , like /etc/rc.conf, /etc/pf.conf,etc.....

1. i want to deny user "a" read all system configure file .
2. user "a" can read write only in /home/a folder .
3. user "a" can run some app..

how to do that ? thanks.
 
Question 1: First, nearly all configuration files are world readable. Please learn what the 9 permission bits (rwxrwxrwx) mean, how users and groups work. If something is world readable, there is nothing you can change on a per-user bases to take away their ability to read them.

Second, you could theoretically go in as root and make them not world readable. I bet nearly everything on the system would work. With networking and DNS lookups, I'm quite sure they would break.

Third, and most importantly: Why? The question you are asking is an XY problem: You want to do something, and are asking for help to do it. But if you don't explain to us what you are REALLY trying to accomplish, we can't give you help.

One possibility is that you think it is insecure that user "a" can read all these configuration files. It is not.

Question 2: For reading, see above. For writing: by default, normal users can only write to their home directory and to /tmp. So that's already there. Making it impossible for them to write into /tmp/ would break many programs.

Question 3: Do you want to restrict user "a" to only run a certain set of apps? In that case, here is a proposal: Change their login shell to be a specialized program which only allows them to run certain programs. But you have to be very careful in how you implement this; if you allow them programs that have the ability to "shell out" (such as emacs) or the ability to interpret user input as programs (such as the perl or python interpreter), they can still do anything they want.

I suspect that the problem you're trying to solve is not suitable for a normal user account on a Unix-style system.
 
ralphbsz said:
Question 1: First, nearly all configuration files are world readable. Please learn what the 9 permission bits (rwxrwxrwx) mean, how users and groups work. If something is world readable, there is nothing you can change on a per-user bases to take away their ability to read them.
Click to expand...
i am not really know what is freebsd. and i have read 9permisson bits. i think a new normal user don't have permission to read all system configuration file except himself creating it.


ralphbsz said:
Third, and most importantly: Why? The question you are asking is an XY problem: You want to do something, and are asking for help to do it. But if you don't explain to us what you are REALLY trying to accomplish, we can't give you help.
Click to expand...
1. disable all new normal users read any system configuration file in anytime except root account .
 
fff2024g said:
i think a new normal user don't have permission to read all system configuration file except himself creating it.
Click to expand...
That is incorrect. On Unix systems (which includes Linux and Macintosh) all users can read most configuration files. There are exceptions for security-critical configuration files, such as the one that contains (encrypted) passwords.

1. disable all new normal users read any system configuration file in anytime except root account .
Click to expand...
But why? What are you really trying to accomplish? Are you trying to make your system more secure? If yes, making config files unreadable will not help.
 
ralphbsz said:
That is incorrect. On Unix systems (which includes Linux and Macintosh) all users can read most configuration files. There are exceptions for security-critical configuration files, such as the one that contains (encrypted) passwords.


But why? What are you really trying to accomplish? Are you trying to make your system more secure? If yes, making config files unreadable will not help.
Click to expand...
i will try my sulotion. for this , and share it to all.
 
you have not answered the question of "what are you trying to accomplish by doing this"

some of those files are supposed to be world readable. the rest of them do not contain anything worth protecting.
 
atax1a said:
you have not answered the question of "what are you trying to accomplish by doing this"

some of those files are supposed to be world readable. the rest of them do not contain anything worth protecting.
Click to expand...
just one accomplish : stop normal user see the /etc/rc.conf content .
 
I think I got the goal.
You mentioned the user it's not wheel so it makes sense to me when it's a user for a service.
You don't want that user to roam around the system.
Maybe you could achieve that with chmod flags by removing permission for "others", something like chmod 750.
But doing this it can cause impact on other services, you must know exactly what services are running in the system with non root access.
 
fff2024g said:
jail is not for this , because this computer was public for 9 normal users in different time. this pc just have one keyboard ,mouse, screen. and these guys will use Gnome GUI for daily business as desktop. not remote access. and not root.
Click to expand...
you want the users to use gnome without at least belonging to wheel group?
you have an idea that the environment Xorg/Wayland and Gnome need read permissions to several system conf files, right?
Are you trying to achieve a sort of kiosk environment?
 
fff2024g said:
just one accomplish : stop normal user see the /etc/rc.conf content .
Click to expand...
But why? How does that help?

Let me give a few examples: rc.conf. The user can already see what the host name is (it's a variable in their shell, and they can run the hostname command). They can see the network configuration (they can run /sbin/ifconfig). They can see what services are configured (by running the ps command). If you look at the default permissions in /var/log, there is lots of stuff they can read there, which tells them what was configured.

Are you worried that your users are dangerous hackers, who will use the information gleaned from reading files in /etc to attack your system? In that case, (a) making files in /etc unreadable to them won't help, since they can get much of the same information elsewhere, and (b) you shouldn't have given them an account in the first place.
 
I guess this does not apply for local user access, but in case of SSH access I would expect you can chroot the user to his/her home directory and thus prevent the user from reading system files.
 
IIUC, /etc/rc is called by /sbin/init on booting to multiuser (at the moment, only root is active) and /etc/rc reads /etc/rc.conf and invokes other /etc/rc.* scripts such as /etc/rc.bsdextended, /etc/rc.firewall, /etc/rc.d/* and /usr/local/etc/rc.d/*.
This is why network cannot work in single user mode (not yet initialized or shutted down).

So one possibility is that creating /etc/rc.conf.local (used only when exists), owned by root (group wheel) and having permission 750 (possibly 700 to disallow read even by members of group wheel), then, make it contain REALLY YOU DON'T WANT TO BE READ BY REGULAR USER and NOT HARMFUL (would need tests) WHEN HIDDEN TO EVERYONE EXCEPT ROOT.
Even in this case, anything harmful when moved to the /etc/rc.conf.local shall remain in world-readable /etc/rc.conf.

Note that the word "shall" needs to be considered as wordings in ISO9001 and so on. Not a regular emotional meaning.
 
You must log in or register to reply here.
Back
Top