[Sunhelp] About top

Adam McDougall mcdouga9 at egr.msu.edu
Thu Oct 19 17:25:29 CDT 2000 

Hi,  I can see why a priviledged top is bad, and why some system admins
might not wanting users to have that information anyway.  But alot of
functionality in top does not need special priviledges anyway.  I have a
copy of top that displays just about everything you'd expect from top
except it doesnt resolve UID's to usernames.  The file permissions?

-rwx------   1 me guest       59780 Sep  7  1999 top.unpriv
crw-r-----   1 root     sys       13,   1 Oct  3 23:52
/devices/pseudo/mm at 0:kmem

top.unpriv -v reports "version 3.5beta7".  

p.s. prstat is nice!  

On Thu, 19 Oct 2000, Leon Halford wrote:

> Top & for that matter freeware programs are not generally as useful
> as they first appear. top in particular introduces security
> problems to Solaris.
> 
> Solaris 8 has a "top" clone called /usr/bin/prstat - I suggest
> you use that.
> 
> Whilst we're on the topic, top should definately never be made
> available to any user other than root on a production server.
> A mistake I have seen all too often.
> 
> Why?
> 
> Well as you rightly point out it gives users the ability to easily
> kill processes. Bad pratice even if its their own application.
> That however is nothing compared to this:
> 
> top requires any given user running it to be a member of group
> "sys" on Solaris such that they can read /dev/kmem - ie physical
> memory! If that wasnt bad enough, group "sys" happens to be a
> very powerful group on Solaris, because not only does it have
> read access to /dev/kmem it has read access to every disk device
> too - which implies a member of group sys can read ANY file on
> any local file system including root owned files (ie /etc/shadow
> etc). I leave this as an experiment for you all, but it's easier
> than you may think, certainly no programming is required.
> 
> Alternatively as a work around to adding users to group "sys"
> you can start fiddling permissions on /dev/kmem to make top
> available to non root users - but as soon as you do that you
> break other programs and of course pkgchk will immediateley
> complain.
> 
> Dont do it! Stick to using "prstat" or "/usr/ucb/ps -aux" on
> pre Solaris 8 machines as they are *much* safer.
> 
> 
> -----Original Message-----
> From: sunhelp-admin at sunhelp.org [mailto:sunhelp-admin at sunhelp.org]On
> Behalf Of David Eisner
> Sent: 19 October 2000 21:51
> To: sunhelp at sunhelp.org
> Subject: Re: [Sunhelp] About top
> 
> 
> On Thu, 19 Oct 2000, David Rouse wrote:
> 
> > on 10/19/00 1:35 AM, John Lee at johnlee at sc23.sc.mcel.mot.com wrote:
> >
> > > Hello,
> > >
> > > I found the output of the tool "top" and the solaris command
> > > "/usr/ucb/ps -aux" are very similar. So my question is: Do we need the
> tool
> > > "top" in Solaris ?
> ...
> > But I don't think I've ever heard anyone say that top was a bad thing.
> 
> top also lets you easily kill processes.  Try hitting the ? key to
> see all the options.  top is great.  Also, top cures cancer.
> 
> -David
> 
> -----------------------------------------------------
> David Eisner            | E-mail: cradle at eng.umd.edu |
> CALCE EPSC              | Phone:  301-405-5341       |
> University of Maryland  | Fax:    301-314-9269       |
> -----------------------------------------------------
> 
> _______________________________________________
> SunHELP maillist  -  SunHELP at sunhelp.org
> http://www.sunhelp.org/mailman/listinfo/sunhelp
> 
> _______________________________________________
> SunHELP maillist  -  SunHELP at sunhelp.org
> http://www.sunhelp.org/mailman/listinfo/sunhelp
>

More information about the SunHELP mailing list