Re: Disabling netstat

To: Cristian Ionescu-Idbohrn <cristian.ionescu-idbohrn@axis.com>
Cc: debian-security@lists.debian.org
Subject: Re: Disabling netstat
From: Brian McGroarty <brian@mcgroarty.net>
Date: Sun, 20 Apr 2003 19:01:41 -0500
Message-id: <[🔎] 20030421000141.GA24079@mcgroarty.net>
In-reply-to: <[🔎] 0304210152380.-1073758512@somehost>
References: <[🔎] 20030420130651.GA4359@mcgroarty.net> <[🔎] 0304210152380.-1073758512@somehost>

On Mon, Apr 21, 2003 at 01:53:48AM +0200, Cristian Ionescu-Idbohrn wrote:
> On Sun, 20 Apr 2003, Brian McGroarty wrote:
> 
> > I'd like to disable netstat and similar programs for my shell
> > users.
> 
> Could this be an alternative solution?
> 
> # dpkg-statoverride --update --add root root 700 /bin/netstat

The problem is that netstat sources its information from
world-readable sources in /proc, so people could still build their own
netstat or parse /proc on their own.

So far as I can tell, there's no non-hackish way to accomplish what
I'd like. I have to either hold a file open to make chmod changes stay
in effect in /proc, or I have to patch the kernel.

This sure seems kind of silly... why add all these things into Big
Giant Namespace and not honor all of the conventions of the same? I
think /proc/* not supporting chmod changes for the duration of a
system's uptime could be classified as a bug or a major design
flaw. :/

Reply to:

Follow-Ups:
- Re: Disabling netstat
  - From: Olaf Dietsche <olaf+list.debian-security@olafdietsche.de>
- Re: Disabling netstat
  - From: Markus Kolb <debian@tower-net.de>

References:
- Disabling netstat
  - From: Brian McGroarty <brian@mcgroarty.net>
- Re: Disabling netstat
  - From: Cristian Ionescu-Idbohrn <cristian.ionescu-idbohrn@axis.com>

Prev by Date: Re: Disabling netstat
Next by Date: Re: cfengine client behind NAT
Previous by thread: Re: Disabling netstat
Next by thread: Re: Disabling netstat
Index(es):
- Date
- Thread