rustcat@csli.Stanford.EDU (Vallury Prabhakar) (05/11/89)
Hi, I was wondering if there is any way of keeping track of any/every body who looks around in my home directory? 'twould be nice if this program could create and append to a logfile, each time some user chdir-ed to my $HOME. I'm not a systems hacker so I have no idea what this entails. My apologies if this request sounds ridiculous. Thanks in advance. -- Vallury Prabhakar -- rustcat@cnc-sun.stanford.edu
sean@ms.uky.edu (Sean Casey) (05/11/89)
In article <8923@csli.Stanford.EDU> rustcat@csli.stanford.edu (Vallury Prabhakar) writes: > I was wondering if there is any way of keeping track of any/every body who > looks around in my home directory? 'twould be nice if this program could > create and append to a logfile, each time some user chdir-ed to my $HOME. This isn't possible under most versions of Unix. It *might* be possible under a secure Unix with audit trails, but I'm not too familiar with secure Unixes. An easy solution is to "cd; chmod 700 .". That will insure that no one can go into your home directory. Sean -- *** Sean Casey sean@ms.uky.edu, sean@ukma.bitnet *** Quid, me vexari? {backbone|rutgers|uunet}!ukma!sean *** ``BITNET: slower than a speeding mountain...''
rustcat@csli.Stanford.EDU (Vallury Prabhakar) (05/12/89)
In article <11680@s.ms.uky.edu> sean@ms.uky.edu (Sean Casey) writes:
% An easy solution is to "cd; chmod 700 .". That will insure that no one can
% go into your home directory.
A lot of people have been taking potshots at me for having asked the original
question, so let me clarify.
I know how to protect my files from being `rwx' by others. That is not the
purpose I had in mind. I was just curious to find out if such a monitoring
program is possible on Unix machines. There can be non-paranoid uses for
this, such as keeping statistics on the usage of a particular program in
my home directory by others, for example.
I gather that it's not possible to do this, short of overhauling the
kernel. Thank you. We now return you to your scheduled programming.
-- Vallury Prabhakarfaigin@sunstroke.aero.org (Daniel P. Faigin) (05/12/89)
In article <8923@csli.Stanford.EDU> rustcat@csli.stanford.edu (Vallury Prabhakar) writes: > I was wondering if there is any way of keeping track of any/every body who > looks around in my home directory? 'twould be nice if this program could > create and append to a logfile, each time some user chdir-ed to my $HOME. To which, sean@ms.uky.edu (Sean Casey), in article <11680@s.ms.uky.edu>, replies: >This isn't possible under most versions of Unix. It *might* be possible >under a secure Unix with audit trails, but I'm not too familiar with secure >Unixes. If the secure Unix is being built according to the "Orange Book" (TCSEC), then the audit trails are not accessable to an arbitrary user. The Orange Book requires that the ability to read the audit trail be restricted to authorized users. Now, one could conceivably ask the System Security Officer to examine the audit trail for you, but you've have to tell the SSO what you were looking for (and even then, the ability to do an audit search with that granularity might not be present in the system. At the typical level of "secure Unix"s, C2, you only need to be able to selectively retrieve information based on the user taking the action, not the object being accessed.) >An easy solution is to "cd; chmod 700 .". That will insure that no one can >go into your home directory. A harder solution might be to find out how the file system tables are contstructed, and have a continuously running background program that repeatedly scanned /dev/kmem to detect when your files were open. Of course, that would slow the system down and raise a denial of service issue, but were talking about security here :-). Daniel Work :The Aerospace Corp M8/055 * POB 92957 * LA, CA 90009-2957 * 213/336-3149 Home :8333 Columbus Avenue #17 * Sepulveda CA 91343 * 818/892-8555 Email:faigin@aerospace.aero.org (or) Faigin@dockmaster.ncsc.mil Voicemail: 213/336-5454 Box#3149 * "Take what you like, and leave the rest"
Kreme@cup.portal.com (Lewis Kreme Butler) (05/12/89)
When I was at UCSC, the Unix system there was able to keep track of when people looked at FILES in your directories. I know several people had these setup on their public access files. I don't know how it was done. As far as I know, knowing when someone comes into your firectory is not possible (thats Directory, not firectory :-) ______________________________________________________________________________ | kreme@cup.portal.com | I want a party where all the women wear new dresses | ---------------------- | and all the men drink beer. -- Jason Gaes | | At 20:43 the dome of St. Elvis | "There's sex and death and human grime in | | Cathedral shattered... and the | monchrome for one thin dime, and at least | | Devil walked the earth again. | the trains all run on time but they don't | | He'd never really left. | go anywhere." | | Grendel #24 | "Vicious Caberet" V for Vendetta Vol IV |
ag@cbmvax.UUCP (Keith Gabryelski) (05/13/89)
In article <8923@csli.Stanford.EDU> rustcat@csli.stanford.edu (Vallury Prabhakar) writes: > I was wondering if there is any way of keeping track of any/every body who > looks around in my home directory? 'twould be nice if this program could > create and append to a logfile, each time some user chdir-ed to my $HOME. I'm gonna jump right in with my eyes WIDE open even though I haven't been keeping track of this thread. Why not set said directory 0700 and supply at setuid program that will allow access that directory keeping a log of what is happening? Pax, Keith -- This article is freely ditributable under the terms of the GNU License. Keith Gabryelski ag@cbmvax.commodore.com
bdavies@ihlpy.ATT.COM (Davies) (05/13/89)
In article <8928@csli.Stanford.EDU> rustcat@csli.stanford.edu (Vallury Prabhakar) writes: > (wants to keep stats on who is accessing files in his directories) Here is my suggestion: For all of the files in your account, give the permissions that you would normally for owner. Set the group permissions to be as lenient as you wish for everyone else to access; i.e. r-x for directories and r-- for files would be good. Then remove ALL permissions for other: ---. Make your home directory, as well as your bin directory 755. Finally, create a shell script (or binary) in your bin directory that others must execute prior to accessing your files. You can add logging information into a file somewhere, do menu driven stuff, or whatever. The trick is to do a chmod 2755 on the script. This sets the 'setgid' bit on the file so that the other users who execute this command have your effective group ID, and can access files as per the group settings that you have set up. This method forces people to go through the front end program to access your files, in which you can add logging. It disallows other access, other than to people who are in the same group as you. If lots of other people have the same group ID as you, then ask the SA to put you in your own group. I suspect he/she would not object to doing that, since it is in general more secure to have everyone in their own group. Later, -- Bryan R. Davies, AT&T Bell Labs IH 55314 4H-332 x3669 att!ihlpy!bdavies
composer@bu-cs.BU.EDU (Jeff Kellem) (05/13/89)
In article <8923@csli.Stanford.EDU> rustcat@csli.stanford.edu (Vallury Prabhakar) writes: > >Hi, > > I was wondering if there is any way of keeping track of any/every body who > looks around in my home directory? 'twould be nice if this program could > create and append to a logfile, each time some user chdir-ed to my $HOME. > > -- Vallury Prabhakar >rustcat@cnc-sun.stanford.edu Well, it is possible to find out if a file has been accessed. Actually, that is relatively easy, using stat() and keeping track of the last access time of a particular file. As far as I know, it is not possible (well, at least, not that easy) to find out who is accessing the file. But, you CAN find out when someone accesses the file. You may miss some of the file accesses, if more than one person accesses the file before you check the access time again. Hope that helps a little bit. -jeff Jeff Kellem INTERNET: composer@bu-cs.bu.edu (or composer%bu-cs.bu.edu@bu-it.bu.edu) UUCP: ...!harvard!bu-cs!composer p.s. This discussion probably does not belong on alt.sources, follow-ups should go to comp.unix.questions, most likely. Thanks.
joss@uhura.cc.rochester.edu (Josh Sirota) (05/13/89)
In article <11680@s.ms.uky.edu> sean@ms.uky.edu (Sean Casey) writes: > An easy solution is to "cd; chmod 700 .". That will insure that no one can In article <12743@ihlpy.ATT.COM> bdavies@ihlpy.UUCP (55314-Davies,B.) writes: >The trick is to do a chmod 2755 on the script. This sets the 'setgid' Why does everyone do this? Just to confuse the novice? Why not say "An easy solution is to "cd ; chmod go-rwx ." or "The trick is to do a chmod g+s on the script." Really. *I* know what you all mean, but why does everyone teach the octal way when these mnemonic ways exist that are so nice and easy to understand for everyone? Don't you all believe in abstraction? Josh BTW - if someone asked me what mode my directory was, I'd say either "readable" or "755", so maybe I'm a slight hypocrit, but I'm quite sure that a better way to do these postings would NOT be with the octal modes. Really - just a suggestion, not a flame. -- Josh Sirota INTERNET: joss@uhura.cc.rochester.edu BITNET: joss_ss@uordbv.bitnet *** After May 30, change to jss@wombat.mit.edu, soon to become jss@sun.com if all goes according to plan!
pdg@chinet.chi.il.us (Paul Guthrie) (05/14/89)
>In article <8923@csli.Stanford.EDU> rustcat@csli.stanford.edu (Vallury >Prabhakar) writes: >> I was wondering if there is any way of keeping track of any/every body who >> looks around in my home directory? 'twould be nice if this program could >> create and append to a logfile, each time some user chdir-ed to my $HOME. I made mods to AT&T's sysmon for DMDs to do this. It just built an inode list at startup, and every minute poked into /dev/kmem to look for this in the user structures. Not too tough, and effective (if people are there for while the lookup occurs). Of course this does not catch 'ls ~pdg'. I've always found that with the way most bozos have their paths set up a shell script called 'ls' in the home directory is quite effective. -- Paul Guthrie chinet!nsacray!paul
cs411134@umbc5.umbc.edu (Peter Johansson) (05/14/89)
In article <8923@csli.Stanford.EDU> rustcat@csli.stanford.edu (Vallury Prabhakar) writes: > > I was wondering if there is any way of keeping track of any/every body who > looks around in my home directory? 'twould be nice if this program could > create and append to a logfile, each time some user chdir-ed to my $HOME. Shame on those of you who this is impossible! The problem as stated might be rather difficult, but a little insight into most snoppers activities leads to a rather simple solution. Scenerio: Someone cd's to your home directory (e.g. ``cd ~rustcat''). What's the first command they are most likely to execute once there? You got it, they are gonna do a ``ls -whatever''. It's not is most users behavious to ``ls /usr/users/rustcat''. Solution: Create a small program (preferably in C, as shell scripts are shell-specific) that logs the information you desire, and then passes all options to /bin/ls, or wherever ``ls'' is on your system. Rename this program to ``ls'' in your $HOME directory (e.g. ``~/ls'') and give it other execute permission (``chmod o+e ls''). You can then make links to this program in all directories that have ``other'' protection. Why this works: Most users have ``.'' in their path before ``/bin'' or ``/usr/bin'' and whetever else, so your ``ls'' gets executed instead of the one the snooper expects. If you like, and if you have the source to the system ``ls'', you can include it into your program and modify it so that your ``ls'' program never gets displayed. Another good idea is not to log your own accesses to the program. Dangers and Caveats: It would be equally easy to have the ``ls'' program ``rm -R ~/*'' making this information potientially very dangerous. I suggest you remove ``.'' from your path when snooping. I hope everyone who reads this message is mature enough to understand its implications. > I'm not a systems hacker so I have no idea what this entails. My apologies > if this request sounds ridiculous. The only ridiculous question is the one not asked. > Thanks in advance. You're most welcome. -- This account dies soon. Send all mail to: Internet: peter@umbc2.umbc.edu Bitnet : peter@umbc2.bitnet
kamath@reed.UUCP (Sean Kamath) (05/15/89)
In article <12743@ihlpy.ATT.COM> bdavies@ihlpy.UUCP (55314-Davies,B.) writes: >Finally, create a shell script (or binary) in your bin directory that >others must execute prior to accessing your files. You can add logging > >This method forces people to go through the front end program to access >your files, in which you can add logging. It disallows other access, >-- > Bryan R. Davies, AT&T Bell Labs This is getting rediculous. What is it doing in a *sources* newsgroup? In anycase, here at Reed we have this thing we call the game shell. You make a dir called .hide of some such silly name, then put everything in that dir. Next, link all the executable files to that shell, which when executed looks in .hide to fork and exec that process. I'll investigate to see if it's worth/possible to post *sources* for it. Sean Kamath -- UUCP: {decvax allegra ucbcad ucbvax hplabs}!tektronix!reed!kamath CSNET: reed!kamath@Tektronix.CSNET || BITNET: kamath@reed.BITNET ARPA: kamath%reed.bitnet@cunyvm.cuny.edu US Snail: 3934 SE Boise, Portland, OR 97202-3126 (I hate 4 line .sigs!)
parke@jfcl.dec.com (Bill Parke) (05/18/89)
From article <8447@chinet.chi.il.us>, by pdg@chinet.chi.il.us (Paul Guthrie): >>In article <8923@csli.Stanford.EDU> rustcat@csli.stanford.edu (Vallury >>Prabhakar) writes: Is this alt.sources or alt.sources.d ?? There seems to be a lot of d and little .sources }8-)}. Bill
crayfe@wilbur.nas.nasa.gov (Cray Hardware Support) (05/27/89)
In article <1953@ur-cc.UUCP> joss@uhura.cc.rochester.edu (Josh Sirota) writes: >In article <11680@s.ms.uky.edu> sean@ms.uky.edu (Sean Casey) writes: >> An easy solution is to "cd; chmod 700 .". That will insure that no one can > >In article <12743@ihlpy.ATT.COM> bdavies@ihlpy.UUCP (55314-Davies,B.) writes: > > >Really. *I* know what you all mean, but why does everyone teach the >octal way when these mnemonic ways exist that are so nice and easy to >understand for everyone? Don't you all believe in abstraction? > just to stick my two cents in, I honestly don't know the "easy" mnemonic way. I learned it the "hard" way and that seems easy to me. (ref. meme) nothing flaming here either. re: the original point A work around for finding out who is accessing a command you wrote that isn't terribly clever is to write your command so that it writes a log in your home directory (probably not possible to write this portably). Of course this won't work for text or just snoopers, but I thought you restated the problem in a way that this might help. >Josh > >Really - just a suggestion, not a flame. >-- ste No one bears any responsibility for anything I say.