Date: Sun, 13 Aug 2000 23:03:05 +0200 From: Maxime Henrion <mux@qualys.com> To: freebsd-hackers@freebsd.org Subject: limit processes that a user can 'see' Message-ID: <39970D08.4BA72541@qualys.com>
next in thread | raw e-mail | index | archive | help
Hello,
I have an idea that I would love to see applied in FreeBSD source code,
but as I'm not skilled enough to code it, I post it to see if you think
it makes sense, and if someone would be interested in coding this. It is
a security measure regarding 'ps' command.
By using the 'ps' command, any user logged in the system can view all
the running processes, including root's one and processes of other
users. My idea is to limit a bit this behaviour.
Through a sysctl variable, the root could restrict the list of
"readable" processes. By readable, I mean that it can be viewed. For
example, a value of 0 could mean no restriction, 1 would hide root
processes, 2 would restrict the visible processes to the processes
owned by users in the same group as the current user, and finally, 3
would restrict the processes list to those owned by the current user
(this is the way I'd have done it if I was able to).
Of course, there would be no limitation for the superuser.
The modification must be done at a low enough level so that a user won't
be able to bypass this security measure by compiling another 'ps' so
patching 'ps' doesn't suffise (in fact, if it was, I would have done it
:-).
What do you all think of this ?
Best regards,
Maxime Henrion
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?39970D08.4BA72541>