[Sunhelp] About top

Leon Halford leon.halford at btinternet.com
Thu Oct 19 16:39:48 CDT 2000


Top & for that matter freeware programs are not generally as useful
as they first appear. top in particular introduces security
problems to Solaris.

Solaris 8 has a "top" clone called /usr/bin/prstat - I suggest
you use that.

Whilst we're on the topic, top should definately never be made
available to any user other than root on a production server.
A mistake I have seen all too often.

Why?

Well as you rightly point out it gives users the ability to easily
kill processes. Bad pratice even if its their own application.
That however is nothing compared to this:

top requires any given user running it to be a member of group
"sys" on Solaris such that they can read /dev/kmem - ie physical
memory! If that wasnt bad enough, group "sys" happens to be a
very powerful group on Solaris, because not only does it have
read access to /dev/kmem it has read access to every disk device
too - which implies a member of group sys can read ANY file on
any local file system including root owned files (ie /etc/shadow
etc). I leave this as an experiment for you all, but it's easier
than you may think, certainly no programming is required.

Alternatively as a work around to adding users to group "sys"
you can start fiddling permissions on /dev/kmem to make top
available to non root users - but as soon as you do that you
break other programs and of course pkgchk will immediateley
complain.

Dont do it! Stick to using "prstat" or "/usr/ucb/ps -aux" on
pre Solaris 8 machines as they are *much* safer.


-----Original Message-----
From: sunhelp-admin at sunhelp.org [mailto:sunhelp-admin at sunhelp.org]On
Behalf Of David Eisner
Sent: 19 October 2000 21:51
To: sunhelp at sunhelp.org
Subject: Re: [Sunhelp] About top


On Thu, 19 Oct 2000, David Rouse wrote:

> on 10/19/00 1:35 AM, John Lee at johnlee at sc23.sc.mcel.mot.com wrote:
>
> > Hello,
> >
> > I found the output of the tool "top" and the solaris command
> > "/usr/ucb/ps -aux" are very similar. So my question is: Do we need the
tool
> > "top" in Solaris ?
...
> But I don't think I've ever heard anyone say that top was a bad thing.

top also lets you easily kill processes.  Try hitting the ? key to
see all the options.  top is great.  Also, top cures cancer.

-David

-----------------------------------------------------
David Eisner            | E-mail: cradle at eng.umd.edu |
CALCE EPSC              | Phone:  301-405-5341       |
University of Maryland  | Fax:    301-314-9269       |
-----------------------------------------------------

_______________________________________________
SunHELP maillist  -  SunHELP at sunhelp.org
http://www.sunhelp.org/mailman/listinfo/sunhelp






More information about the SunHELP mailing list