Re: patch: hide processes non owned by a user

Tue, 27 Jan 2015 01:48:13 -0800 

On 01/27/2015 09:07 AM, STeve Andre' wrote:

On 01/27/15 02:26, Renaud Allard wrote:

Hello,

I wrote a patch which adds a new kernel sysctl (hideproc) to hide
processes non owned by a user, except for root. This should be mostly
useful on shell servers and on servers with chroots.

I know some controversial patches have been presented in the past, but
this one only does only one thing and should have a small enough impact.

While writing it, I was using a snapshot of about 1 week old, and the
patch didn't work for a reason I have not found. But it works fine on
5.6 (that's why this one applies to 5.6). So there might be or have
been a regression somewhere.


This seems like another knob, to me.  As someone who has helped
administrate open access systems, I'm not sure this is useful.  You
forgot to include the man page additions, too.  ;-)

--STeve Andre'
This is indeed a know, but it prevents leaking information about the processes running on the machine. 

Here is the man page diff:

diff -aur oldsrc/lib/libc/gen/sysctl.3 src/lib/libc/gen/sysctl.3
--- oldsrc/lib/libc/gen/sysctl.3        Sun Jul 13 19:47:03 2014
+++ src/lib/libc/gen/sysctl.3   Tue Jan 27 10:32:26 2015
@@ -468,6 +468,7 @@
 .It Dv KERN_VERSION Ta "string" Ta "no"
 .It Dv KERN_VNODE Ta "struct e_vnode" Ta "no"
 .It Dv KERN_WATCHDOG Ta "node" Ta "not applicable"
+.It Dv KERN_HIDEPROC Ta "integer" Ta "yes"
 .El
 .Bl -tag -width "123456"
 .It Dv KERN_ARGMAX
@@ -1085,6 +1086,9 @@
 .It Dv KERN_WATCHDOG_PERIOD
 The period of the watchdog timer in seconds.
 Set to 0 to disable the watchdog timer.
+.It Dv KERN_HIDEPROC
+If set to 1, the kernel will only list processes belonging to the user
+making the call, except if the user is root.
 .El
 .El
 .Ss CTL_MACHDEP
diff -aur oldsrc/sbin/sysctl/sysctl.8 src/sbin/sysctl/sysctl.8
--- oldsrc/sbin/sysctl/sysctl.8 Fri Jul 11 18:43:07 2014
+++ src/sbin/sysctl/sysctl.8    Tue Jan 27 10:28:40 2015
@@ -200,6 +200,7 @@
 .It kern.maxlocksperuid Ta integer Ta yes
 .It kern.bufcachepercent Ta integer Ta yes
 .It kern.consdev Ta string Ta no
+.It kern.hideproc Ta string Ta yes
 .It vm.vmmeter Ta struct Ta no
 .It vm.loadavg Ta struct Ta no
 .It vm.psstrings Ta struct Ta no

Reply via email to