From owner-freebsd-isp Tue Aug 22 10:39:42 2000 Delivered-To: freebsd-isp@freebsd.org Received: from elvis.mu.org (elvis.mu.org [207.154.226.10]) by hub.freebsd.org (Postfix) with ESMTP id 0B9EE37B424 for ; Tue, 22 Aug 2000 10:39:38 -0700 (PDT) Received: by elvis.mu.org (Postfix, from userid 1000) id 77F6F2B23F; Tue, 22 Aug 2000 12:39:32 -0500 (CDT) Date: Tue, 22 Aug 2000 10:39:32 -0700 From: Paul Saab To: Bill Fumerola Cc: FengYue , Mike , James Housley , freebsd-isp@FreeBSD.ORG Subject: Re: ps question Message-ID: <20000822103932.A62542@elvis.mu.org> References: <4.3.2.7.2.20000821014336.00b81aa0@127.0.0.1> <20000821155159.F65562@jade.chc-chimes.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="AhhlLboLdkugWU4S" Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <20000821155159.F65562@jade.chc-chimes.com>; from billf@chimesnet.com on Mon, Aug 21, 2000 at 03:51:59PM -0400 Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --AhhlLboLdkugWU4S Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Bill Fumerola (billf@chimesnet.com) wrote: > On Mon, Aug 21, 2000 at 12:53:53PM -0700, FengYue wrote: > > > > What's the use of all those hacks in ps code? People can simply either > > access /proc or directly call kvm_* () functions to get a full list of > > processes running on the machine, or even simply ftp a ps binary > > from another freebsd machine. > > Exactly. If you don't want users snooping around, installing a watered > down ps(1) isn't going to help much. > > Unmounting /proc may help, not giving users that would abuse an account > might help, giving users restricted shells might help, a bullet in the > head of people who abuse your system might help, but a watered down ps(1) > sadly won't. Not only that, you still have access to the sysctl as any user to pull all the processes, so a watered down ps isn't going to help, but this patch will.. :) If I get some time, I can do somethign similar for procfs. paul --AhhlLboLdkugWU4S Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="ps.diff" Index: kern_proc.c =================================================================== RCS file: /shit/FreeBSD4/cvs/src/sys/kern/kern_proc.c,v retrieving revision 1.1 retrieving revision 1.2 diff -u -r1.1 -r1.2 --- kern_proc.c 2000/07/22 08:02:17 1.1 +++ kern_proc.c 2000/08/19 16:36:17 1.2 @@ -55,6 +55,10 @@ static MALLOC_DEFINE(M_PROC, "proc", "Proc structures"); MALLOC_DEFINE(M_SUBPROC, "subproc", "Proc sub-structures"); +static int ps_showallprocs = 1; +SYSCTL_INT(_kern, OID_AUTO, ps_showallprocs, CTLFLAG_RW, + &ps_showallprocs, 0, ""); + static void pgdelete __P((struct pgrp *)); /* @@ -522,7 +526,7 @@ } static int -sysctl_kern_proc SYSCTL_HANDLER_ARGS +sysctl_kern_proc(SYSCTL_HANDLER_ARGS) { int *name = (int*) arg1; u_int namelen = arg2; @@ -561,6 +565,11 @@ p = LIST_FIRST(&zombproc); for (; p != 0; p = LIST_NEXT(p, p_list)) { /* + * Show a user only their processes + */ + if ((!ps_showallprocs) && p_trespass(curproc, p)) + continue; + /* * Skip embryonic processes. */ if (p->p_stat == SIDL) @@ -618,7 +627,7 @@ * title to a string of its own choice. */ static int -sysctl_kern_proc_args SYSCTL_HANDLER_ARGS +sysctl_kern_proc_args(SYSCTL_HANDLER_ARGS) { int *name = (int*) arg1; u_int namelen = arg2; --AhhlLboLdkugWU4S-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message