SUMMARY: privacy procs

From: Andy De Petter (andy.depetter@ops.skynet.be)
Date: Wed Mar 29 2000 - 04:23:37 CST


Hi,

My original question was:

> On Linux you have a kernel patch called OpenWall Project
> (http://www.openwall.com). It has the possibility to restrict the ps
> -ef output of ordinary users.
>
> If a user does ps -ef he can't see more than his own processes.
>
> Is there a possibility to do this on Solaris? I have taken a look at
> RBAC in Solaris 8, but that's more like giving normal users more
> privileges to the system, and not less. Also the restricted shell in
> Solaris 8, doesn't have the capabilities of doing such.
>
> Anyone has used something that is capable of doing this on Solaris?

Most answers I got were to remove the setuid root from the ps binary,
but checking all binaries, on a few different OS versions, learned me
that this would only work on Solaris pre-7. After 2.6, the setuid root
has been removed from the binary. I haven't included these replies in
my summary though, as they won't work anyway for Solaris 7/8.

Anyway, I have made a little summary of the replies ( I haven't been
able to try out all of them yet ).

Special thanks to Ken (robsonk@erbd.com), Dieter Wurm, Craig Raskin,
Adam Morley, Karl Vogel and Dan Lowe.

Here are the replies in short:

>I think a very easy way is to build an alias for ps command like ps -u <userid> or a >scriptwrapper to substitute all commands for user-id-restrictions

=====

> 1. Create a new group called (say) "proc".
>
> 2. mv /usr/bin/ps /usr/bin/ps.exe
> chgrp proc /usr/bin/ps.exe
> chmod 750 /usr/bin/ps.exe
>
> 3. Now, write a ps replacement that runs setgid to group "proc",
> executes ps.exe, and only passes along lines containing the username
> of the person running it.

=====

> We recently implemented this at our company, and had to do it ourselves
> because we couldn't find any suitable products out there.
>
> Unfortunately it's company-owned code, so it's not something we can
> distribute outside of the company.

=====

-Andy

-- 
......................................................................
:                                                                    :
:                              Andy De Petter <andy@ops.skynet.be>   :
:    Skynet   NV/SA                                System Engineer   :
:                                                                    :
: Kol. Bourgstraat 124          _,'|            _.-''``-...___..--'; :
:    1140  Brussels            /, \'.      _..-' ,      ,--...--'''  :
:                             < \   .`--'''      `     /|            :
: Tel +32 (0)2 7061311         `-,;'              ;   ; ;            :
: Fax +32 (0)2 7061312    __...--''     __...--_..'  .;.'            :
:                        (,__....----'''      (,..--''               :
: http://www.skynet.be	                                             :
......................................................................

The opinions expressed are personal.




This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:14:05 CDT