Can I hide the process appearance ?

[cheguvera]

Hi,

A security related question on Solaris.

Suppose I am running some command on command line e.g.

java -v -user xyz -file filename.ext

Now, while this command is running, some other user logs on to the same machine and he gives command like "ps -aef" or "ps -fu some_username", he can see either all processes running or processes being run by a specific user. If I have given a username or username-password on command prompt, he can see that.

Is it possible for me to hide the appearance of my process for the ps command ? or can I display something else as my command description ?

Is there any way without installing any additional software to achieve this ?

Please convey.

Regards

 

[marrow]

I've never seen a password displayed via a ps command. Can you show an example of ps command displaying passwds?
Have you tried running via a cronjob that selects a script that runs your job.

 

[WhiteVolg]

There are very few options for this.
1: Never include a password in your commandline.
2: The application should be able to 'rewrite' it's commandline in kernel space if it requires a password on the commandline. - Many do not, but they can if written properly -
3: make ps impossible to use for non adminstrative users. Easy to do (chmod 550 /usr/bin/ps;chown root:sys /usr/bin/ps), but inconvenient as it eliminates the availability of ps to users.
4: Find a means of padding your commandline until the password/username does not occur in the first 80 characters. This will push it out beyond the 80 character limitation of the ps args display.

My personal favorite is option is 1 and 3, as most users shouldn't need 'ps', just the shell builtin 'jobs'. But I'm mean.

 

[kHz]

FreeBSD offers the capability to restrict seeing processes that don't belong to the user. Maybe Solaris should adopt that security solution. Or maybe you can switch to BSD

 

[SamBones]

Padding the command line to put the username/password past 80 characters doesn't work. Doing "[tt]/usr/ucb/ps -auxwww[/tt]" will show the entire command line regardless of size.

The best way is to see if you can just keep the username/password off the command line. For example, say you're starting an Oracle SQL*Plus command...

This example is bad and will show the username and password.

sqlplus scott/tiger@dbname <<-CMDS
select * from some_table;
quit
CMDS

This example works the same but won't show the username and password.

sqlplus /nolog <<-CMDS
connect scott/tiger
select * from some_table;
quit
CMDS

For FTP, you can use a [tt].netrc[/tt] file. Do a "[tt]man -s4 netrc[/tt]" for more info. This allows you to not even have to put the username or password in the script.

If it's some command between different machines, you can set up [tt]ssh[/tt] to log you in automatically.

 

[Dorga]

cheguvera,

Replace your command line with a script and put the command in the script..

Oracle and I am pretty sure that SQL also does have the option to crype passwords on command line.

Your best option is probably using the here statement example that SamBones explaned.

 

[SamBones]

Putting the command into a script doesn't hide it. A [tt]ps[/tt] will show both the script and the command. The only way is to never have a password on a command line.

 

[cheguvera]

Hi Guys,

Thanks for all these thaughts.

My problem is, I have to run a java code from inside a perl script.
This java code connects to Oracle using JDBC and do not have a way to use the OPS$ account which Oracle provides. I have to give the oracle username/password on the command line, if I want to use this java code, which is my grim reality.

I was just hoping that, if I make the command very long then I may be able to avoid the username/password from appearing on ps command. My command line will be anyway very long. But "ps -auxwww" has dashed my hopes.

Is there any system call, some option via C or Perl to achieve this? My command will be something like,

java -a xxxxx -h tttttt -g jjjjj -f <big_file_name> ....

and I have to run it with "system"command from Perl.

Please scratch your heads for me.

Thanks again.

 

[mrn]

This should work

echo "Name : \c"
read Name
echo "Password : \c"
stty -echo
read Password
stty echo
echo ${Name}/${Password} | java

or

USER=username
PASSWORD=password
{ echo ${USER}/${PASSWORD}; cat ${your_script_name_here}; } | java




Mike

"A foolproof method for sculpting an elephant: first, get a huge block of marble, then you chip away everything that doesn't look like an elephant."

http://www.airport-parking-site.co.uk/

 

[elgrandeperro]

Solaris 10 has the ability to restrict the ps command per user.

http://www.securitydocs.com/library/2640

I believe pre Solaris 7, ps needed to be setuid, which means you could supplant the binary (and tweak it to what you want).
If this works the old way, it probably needs to read /dev/mem to operate and that is why it is setuid.

Solaris 8's ps is not setuid, so even if you tweaked the binary someone could get their own binary to work. (I'll assume it gets things from /proc now?)

gene

 

[Annihilannic]

This is a discussion of how to do this in C on FreeBSD on the link below, not sure whether it would apply to your case or whether it would work on Solaris, but I think regardless any solutions that overwrite the cmdline in /proc would mean a modification of the java programme that requires the parameters; do you own that code, and can you do that?

http://www.webhostingtalk.nl/bugtraq-mailing-lijst/23381-ps-information-leak-freebsd.html

I found it by googling for 'obfuscate cmdline'.

Annihilannic.