Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
The risk of ps and top
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Twist
Guru
Guru


Joined: 03 Jan 2003
Posts: 414
Location: San Diego

PostPosted: Thu Mar 17, 2005 1:33 am    Post subject: The risk of ps and top Reply with quote

So I was thinking the other day, as I did a regular check of the scanners bouncing off my sshd port and the like, of the risk that ps and top represent.

Consider: a user gets to a shell on your machine. Let's say for the sake of argument he isn't root yet, and leave the all the rootkit worries aside. I detect said user and want to find out what he's doing.

Problem is, he has real time feedback on what *I'm* doing, via ps and top. I can prevent execution of ps, but the info is still there in the kernel anyway, he can just upload and run something that will achieve the same result.

How on a regular 2.6 kernel do you deny the ability of one user to see anothers processes by name? Do you have to create a user mode environment for each user, so they run in their own little universe, or is there a way you can achieve it globally?

-Twist
Back to top
View user's profile Send private message
moocha
Watchman
Watchman


Joined: 21 Oct 2003
Posts: 5722

PostPosted: Thu Mar 17, 2005 3:03 am    Post subject: Reply with quote

The grsecurity patches offer the ability to restrict ps and top output to only the processes belonging to the user (by defaulting to more restrictive /proc permissions). The hardened(-dev)-sources contain this patch. Look under Security -> Grsecurity in menuconfig.
_________________
Military Commissions Act of 2006: http://tinyurl.com/jrcto

"Those who would give up essential liberty to purchase a little temporary safety deserve neither liberty nor safety."
-- attributed to Benjamin Franklin
Back to top
View user's profile Send private message
Twist
Guru
Guru


Joined: 03 Jan 2003
Posts: 414
Location: San Diego

PostPosted: Fri Mar 18, 2005 6:48 pm    Post subject: Reply with quote

Exactly what I was looking for Moocha, thanks.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum