Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

How deny listing processes?

Status
Not open for further replies.
pelikan81

pelikan81

IS-IT--Management
Jul 1, 2005
21
SK
Hi,
i have problem: i want to deny listing processes (program ps) for any user except his own processes, for example: when is logged in user: pelikan, and when type ps (plus some parameters) the displayed processes is only his processes.
does anybody know how ?
thanx
pelikan
 
Sort by date Sort by votes
Forgot this might be a little security vulnerability, but you can set permissions to:

Code: 
chown nobody:sys /usr/bin/ps
chmod 711 /usr/bin/ps

On Solaris that way user's can not cat the file to see what it calls, but it will still execute with the SUID. Since it is the user nobody though, should not be too much of big deal.
 
Upvote 0 Downvote
Unfortunately (or not?) you can't set the SUID bit on scripts on AIX. You would have to use sudo in this instance. (see my suggestion several comments back)

This is still open to lgarner's comment about copying ps from another system but anything we suggest will be prone to that.

Columb Healy
 
Upvote 0 Downvote
Good point I never played with AIX, I heard of other flavors not allowing that though. I think he wants to run it on Linux and I do not know if they allow scripts to be SUID or not.

It also appears that most of the solutions provided control who can run the actual ps command.I think all he wants to do is omit/deny users from seeing all the processes on the system.

If that is all he would like done then I do not see a need to use SUDO. I think it would be easier to write a shell script to just grep for the username of the person running the ps command.
 
Upvote 0 Downvote
I think the only way to reliably achieve this is to change the permissions of /proc, maybe only giving a certain group access to it. However that would prevent the users from seeing even their own processes, and might break some other stuff.

Ideally the proc fs could be modified to make the default permissions of /proc/<pid> entries either 500 or 550. ps would probably have to be modified as well to prevent it complaining about the ones it can't access.

Annihilannic.
 
Upvote 0 Downvote
Well if a user is smart enough to change a variable, or let alone know what one is. Then there is no full proof way to do this like Annihilanic says his solution is probably the best. But you could always hard code the USER variable in the script, I wrote that up as a quick solution. You could do something like use the id command and strip out the username.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

mduddytel
  • Locked
  • Question
Unix Root inbox - how to clear
Replies
0
Views
353
mduddytel
mduddytel
brk1221
  • Locked
  • Question
Too many sendmail processes.
Replies
0
Views
83
brk1221
brk1221
keerthi2016
  • Locked
  • Question
how list two files in a single command 1
Replies
4
Views
136
johnherman
johnherman
1in10
  • Locked
  • Question
two dns entries, pre-configured router? how to, in bsd
Replies
0
Views
78
1in10
1in10
duke2nuke
  • Locked
  • Question
How to parse syslog.conf for errors?
Replies
1
Views
137
Annihilannic
Annihilannic

Part and Inventory Search

Sponsor

Back
Top