How deny listing processes?

[pelikan81]

Hi,
i have problem: i want to deny listing processes (program ps) for any user except his own processes, for example: when is logged in user: pelikan, and when type ps (plus some parameters) the displayed processes is only his processes.
does anybody know how ?
thanx
pelikan

 

[kHz]

What OS?
FreeBSD allows this.

 

[pelikan81]

Yes, in Solaris, and FreeBSD si possible like this:

http://www.securitydocs.com/library/2640

but i want to for linux, (Fedora Core 4). I found for linux just rewrite kernel source code for example: apply patch from

http://www.grsecurity.net/

. This is also way how to do it.

Exist another way (without compiling source code), any idea ?

pelikan

 

[mrn]

Move the ps command to ps.old & change the perms to 600. Create a new script called ps as follows

#!/usr/bin/ksh
ps

Mike

"A foolproof method for sculpting an elephant: first, get a huge block of marble, then you chip away everything that doesn't look like an elephant."

http://www.airport-parking-site.co.uk/

 

[Diancecht]

That won't work, you've moved the ps command, right?

Cheers,
Dian

 

[columb]

Yes, but Mike's idea has merit. My similar answer was to use sudo so

1) rename ps -> ps.hid
2) chmod 700 ps.hid
3) create a new ps which looks like

#!/bin/ksh
[[ $(id -ur) -eq 0 ]] && ps.hid $@ || sudo ps.hid

4) add a suitable line to sudoers

ALL host = /usr/bin/ps.hid

Columb Healy

 

[p5wizard]

Then shouldn't there be a "-f ${LOGNAME}" added to the command line parameters in the ps wrapper script?

when type ps (plus some parameters) the displayed processes is only his processes.

HTH,

p5wizard

 

[p5wizard]

that should have read "-u ${LOGNAME}" of course for X/Open ps flags/operands

and the wrapper script could omit "g" switch for Berkeley Standard ps flags/operands


HTH,

p5wizard

 

[mrn]

Opps.... Redface, too much beer this weekend.....

Mike

"A foolproof method for sculpting an elephant: first, get a huge block of marble, then you chip away everything that doesn't look like an elephant."

http://www.airport-parking-site.co.uk/

 

[lgarner]

Just curious... What's the benefit of renaming ps instead of simply chmodding it 700?

Also, how would you prevent anyone from uploading a ps to their home directory and running that?

 

[mrn]

It wouldn't; we just have to hope the users are as dumb as they appear.

Mike

"A foolproof method for sculpting an elephant: first, get a huge block of marble, then you chip away everything that doesn't look like an elephant."

http://www.airport-parking-site.co.uk/

 

[mrn]

What O/S are you using?

Mike

"A foolproof method for sculpting an elephant: first, get a huge block of marble, then you chip away everything that doesn't look like an elephant."

http://www.airport-parking-site.co.uk/

 

[kHz]

just have to hope the users are as dumb as they appear.

They are that dumb.

In my city's paper a couple of days ago a woman wrote a letter to the editor about the upcoming "Lawyers vs.Soft drink makers" court battles. She attempted to correlate pop and cigarettes. Anyway, in this letter she stated "if people were so concerned about second-hand smoke, they wouldn't sit around campfires, and they wouldn't lay next to a roaring fireplace at home."

She also stated she is a smoker. Apparently she doesn't realize cigarettes contain nicotine, a carginogen that is absent in campfires and home fireplaces.

We could possible deduce that 1) the cigarettes have hampered here ability to thought process; 2) she had not yet had her morning coffee; 3) she is that dumb.

Unfortunately my money is on number 3! And, unfortunately, there are too many others like her!

 

[kHz]

the cigarettes have hampered here ability to thought process

should read:

the cigarettes have hampered her ability of a coherent thought process

Or maybe it is the lead, arsenic, ammonia, benzene and cadmium that has hindered her thinking.

Besides nicotine being linked to lung cancer in research, benzene and cadmium are cancer-causing chemicals. And lead causes brain damage, yet people voluntarily inhale it!

 

[columb]

Going back to lgarner's comment about how do you stop the users copying ps to their home folder

chown root:sys ps
chmod 700 ps

Anyone smart enough to break that then I want to recruit them.

On the subject of 'dumb users' I have worked both sides of the fence, *nix and Wintel, and I'm glad I'm on the *nix side. Apart from macho posturing about real OS's having a command line and other flame bait I'm freed of the users who
[ol]
[li]got this software of the front of PC Whatever magazine and needs it loading NOW![/li]
[li]was told by a mate down the pub that if he did X then his PC would run much faster[/li]
[li]Read this article in PC Whatever about wireless, single sign on, bluetooth, wifi, extreme, buzzword, buzzword, buzzword and why can't we do that?[/li]
[/ol]

Columb Healy

 

[Annihilannic]

I think they meant copying ps from another system...

Annihilannic.

 

[mrn]

Just had a thought; why not use an alias in .profile?

alias ps -ef='ps'

Don't know if you could do the following worth a try;

alias ps -[a-zA-Z].='ps'

Mike

"A foolproof method for sculpting an elephant: first, get a huge block of marble, then you chip away everything that doesn't look like an elephant."

http://www.airport-parking-site.co.uk/

 

[feherke]

Hi

In [tt]bash[/tt] with the [tt]command[/tt] built-in you can override the alias and execute the original command :

[blue]master #[/blue] command ps

Feherke.

http://rootshell.be/~feherke/

 

[stefanwagner]

You could collect the information manually (or by script) from the /proc-filesystem.

seeking a job as java-programmer in Berlin:

http://home.arcor.de/hirnstrom/bewerbung

 

[coffeysm]

Why not try something like this, it works for me on Solaris:

mv /usr/bin/ps /usr/bin/ps.old

vi /usr/bin/ps

#!/bin/sh
PS=/usr/bin/ps.old
GREP=/usr/bin/grep
$PS -aef | $GREP $USER