Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
How to see all processes with a non root user
View unanswered posts
View posts from last 24 hours

Goto page 1, 2  Next  
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
jeromeBis
n00b
n00b


Joined: 08 Apr 2010
Posts: 9

PostPosted: Thu Apr 08, 2010 8:15 am    Post subject: How to see all processes with a non root user Reply with quote

Hi,

I have 2 Linux servers.
One with Debian 4.0 and the other with Gentoo Base System release 1.12.11.1.

On the Debian with a non root user who is not in the root group I can see all the process, even the root ones.
On the Gentoo, I can only see my process.
For your information, I'm using "ps -leaf" or "ps aux" to check that.

Thanks in advance for your answers,
Regards,
Jerome
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 46296
Location: 56N 3W

PostPosted: Thu Apr 08, 2010 8:56 am    Post subject: Reply with quote

jeromeBis,

Welcome to Gentoo

Thats a feature of gentoo-hardened, to allow users to see only processes they own.

No users anywhere on any distro should be in the root group ever. Thats the same as being root all the time.
If you need root sometimes, look at sudo.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
jeromeBis
n00b
n00b


Joined: 08 Apr 2010
Posts: 9

PostPosted: Thu Apr 08, 2010 9:04 am    Post subject: Reply with quote

Hi,

OK, but how can I change that to allow one non-root user to see all process running?
I just want to have a non-root "superviser" who can only check what is going on the server.

Thx
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 46296
Location: 56N 3W

PostPosted: Thu Apr 08, 2010 9:17 am    Post subject: Reply with quote

jeromeBis,

Install sudo and configure it to allow this one user to use the commands you want the superviser to be able to run as root.
The syntax then becomes
Code:
sudo <command>

If command is in the permitted list, it runs as root, if not sudo sends root an email.
The superviser has to give his user password the first time sudo is invoked but for a sequence of commands, its not needed every time.
I think the default timeout is about five minutes. Anyway, its long enough not to be annoying.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
jeromeBis
n00b
n00b


Joined: 08 Apr 2010
Posts: 9

PostPosted: Thu Apr 08, 2010 9:36 am    Post subject: Reply with quote

NeddySeagoon,

I know the "sudo" command, but I would prefer to call directly the "ps" one because I need to automate a check of the process.

Thx,
Jerome
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 46296
Location: 56N 3W

PostPosted: Thu Apr 08, 2010 9:41 am    Post subject: Reply with quote

jeromeBis,

I'm out of ideas. Make a special user that cannot log in to run the script as comes to mind but that sounds ugly
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
Jaglover
Watchman
Watchman


Joined: 29 May 2005
Posts: 7711
Location: Saint Amant, Acadiana

PostPosted: Thu Apr 08, 2010 9:59 am    Post subject: Reply with quote

How about configuring sudo to allow this command without password [for this user].
Back to top
View user's profile Send private message
Akkara
Administrator
Administrator


Joined: 28 Mar 2006
Posts: 6702
Location: &akkara

PostPosted: Thu Apr 08, 2010 10:25 am    Post subject: Reply with quote

Allowing sudo to work without password sounds risky.

I think a modification on Neddy's idea might work: Write a program that simply calls the main 'ps'. Put it in /usr/local/bin, and make sure /usr/local/bin appears first in your regular user path. So when you run 'ps', is runs /usr/local/bin/ps, which execs /bin/ps. (and when root runs ps, root picks up the /bin/ps version directly since /usr/local/bin isn't in root's path.)

Next, make a new user, one that can't log in. Put the new user in the 'root' group. Make /usr/local/bin/ps setuid owned by this new user.

If I understand correctly (I didn't test this), the /usr/local/bin/ps version ought to be able to see all processes even though you aren't running as root.

If you want to restrict access to just one specific user, you can either have the program check the real user before exec'ing, or stick it in a subdirectory that's only readable by the user you wish to allow. (And make sure it isn't writable, so that user can't remove the binary and put a different one in there.)
Back to top
View user's profile Send private message
jeromeBis
n00b
n00b


Joined: 08 Apr 2010
Posts: 9

PostPosted: Thu Apr 08, 2010 11:01 am    Post subject: Reply with quote

Thanks Jaglover,

I've added:
Code:
jerome          ALL=(ps) NOPASSWD: ALL

to the /etc/sudoers (via visudo) and it works great.

I don't like (esthetically speaking) using "sudo" in the commands but it does the work.

Thanks again,
Regards,
Jerome
Back to top
View user's profile Send private message
XQYZ
Apprentice
Apprentice


Joined: 19 Jul 2009
Posts: 231
Location: Europe

PostPosted: Thu Apr 08, 2010 12:28 pm    Post subject: Reply with quote

jeromeBis wrote:
Thanks Jaglover,

I've added:
Code:
jerome          ALL=(ps) NOPASSWD: ALL

to the /etc/sudoers (via visudo) and it works great.

I don't like (esthetically speaking) using "sudo" in the commands but it does the work.

Thanks again,
Regards,
Jerome


Either add an 'alias ps="sudo ps"' to the users bashrc or add a script named "ps" in the path of the users before the actual ps-path which then calles the real ps with sudo. Poth should work.
Back to top
View user's profile Send private message
wthrowe
Tux's lil' helper
Tux's lil' helper


Joined: 19 Aug 2009
Posts: 139

PostPosted: Thu Apr 08, 2010 1:54 pm    Post subject: Reply with quote

The details of the restrictions are controlled by the GRKERNSEC_PROC* kernel configuration options. I don't know how those configurations work, but it looks like the kernel can restrict access to a single group, which might be a better solution.
Back to top
View user's profile Send private message
jeromeBis
n00b
n00b


Joined: 08 Apr 2010
Posts: 9

PostPosted: Thu Apr 08, 2010 4:05 pm    Post subject: Reply with quote

Wrong line, here is the good one:
Code:
jerome          ALL=(ALL) NOPASSWD: /bin/ps
Back to top
View user's profile Send private message
Jaglover
Watchman
Watchman


Joined: 29 May 2005
Posts: 7711
Location: Saint Amant, Acadiana

PostPosted: Thu Apr 08, 2010 11:15 pm    Post subject: Reply with quote

:) Glad you got it working the way you want.
Back to top
View user's profile Send private message
Mike Hunt
Watchman
Watchman


Joined: 19 Jul 2009
Posts: 5287

PostPosted: Fri Apr 09, 2010 1:17 am    Post subject: Reply with quote

Huh, how come mine can do that?

I get the exact same output from ps -leaf and ps aux as both <user> and root
Code:
 ~ # ps aux | wc -l; ps -leaf | wc -l
128
128

 ~ $ ps aux | wc -l; ps -leaf | wc -l
128
128


My user is GID users and in the wheel group, if that makes a difference. Otherwise everything is a standard installation.
Back to top
View user's profile Send private message
desultory
Administrator
Administrator


Joined: 04 Nov 2005
Posts: 9392

PostPosted: Fri Apr 09, 2010 6:24 am    Post subject: Reply with quote

Mike Hunt wrote:
Huh, how come mine can do that?
Is it running on a hardened system? If so, what policies are in effect?

If the answer to the first question is "no" or the answer to the second is either "none" or some suitable variation on "permissive", it is the expected behavior.
Back to top
View user's profile Send private message
jeromeBis
n00b
n00b


Joined: 08 Apr 2010
Posts: 9

PostPosted: Fri Apr 09, 2010 7:12 am    Post subject: Reply with quote

Hi,

How can you see if a system is hardened and how can you change its policies?
Back to top
View user's profile Send private message
desultory
Administrator
Administrator


Joined: 04 Nov 2005
Posts: 9392

PostPosted: Fri Apr 09, 2010 8:16 am    Post subject: Reply with quote

http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=3&chap=1
Back to top
View user's profile Send private message
jeromeBis
n00b
n00b


Joined: 08 Apr 2010
Posts: 9

PostPosted: Fri Apr 09, 2010 9:54 am    Post subject: Reply with quote

It doesn't seem I'm in this case.
"ls -Z" and "ps au -Z" gives nothing particular and I do not have sestatus or policyvers (tried as root).
Back to top
View user's profile Send private message
Mike Hunt
Watchman
Watchman


Joined: 19 Jul 2009
Posts: 5287

PostPosted: Fri Apr 09, 2010 2:18 pm    Post subject: Reply with quote

desultory wrote:
Mike Hunt wrote:
Huh, how come mine can do that?
Is it running on a hardened system? If so, what policies are in effect?

If the answer to the first question is "no" or the answer to the second is either "none" or some suitable variation on "permissive", it is the expected behavior.


Ah I see, it's regular Gentoo. I misunderstood NeddySeagoon's first answer.

Thanks for the clarification. :)

jeromeBis wrote:
Hi,

How can you see if a system is hardened and how can you change its policies?


What does eselect profile show say about the profile? Wouldn't a hardened system use a hardened profile?
And wouldn't you (or someone) have had to enable it explicitly?
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 15978

PostPosted: Sat Apr 10, 2010 2:48 am    Post subject: Reply with quote

Mike Hunt wrote:
What does eselect profile show say about the profile? Wouldn't a hardened system use a hardened profile?
And wouldn't you (or someone) have had to enable it explicitly?
For best results, a hardened profile should be used with a hardened kernel. However, it is possible to run hardened kernels on a non-hardened profile. There are specific changes in the hardened kernel that account for the behavior you inquired about, and these changes can be used without a hardened user environment.

A hardened stage3 tarball may start out associated with a hardened profile, in which case the user might be on a hardened profile without having fully realized it. However, since hardened kernels and hardened profiles are separate, the user would still need to manually choose a set of hardened kernel sources to be on a hardened kernel and experience the cloaking behavior described in this thread.
Back to top
View user's profile Send private message
jeromeBis
n00b
n00b


Joined: 08 Apr 2010
Posts: 9

PostPosted: Mon Apr 26, 2010 10:04 am    Post subject: Reply with quote

Hi,

Sorry, I've been out for 2 weeks ;)

Here is the result of "eselect profile show":
Code:

Current make.profile symlink:
  default/linux/amd64/10.0
Back to top
View user's profile Send private message
phajdan.jr
Retired Dev
Retired Dev


Joined: 23 Mar 2006
Posts: 1777
Location: Poland

PostPosted: Mon Apr 26, 2010 11:59 am    Post subject: Reply with quote

jeromeBis wrote:

OK, but how can I change that to allow one non-root user to see all process running?
I just want to have a non-root "superviser" who can only check what is going on the server.


I think it may be possible. Check your kernel configuration carefully. Look for grsecurity options.
_________________
http://phajdan-jr.blogspot.com/
Back to top
View user's profile Send private message
cach0rr0
Bodhisattva
Bodhisattva


Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas

PostPosted: Mon Apr 26, 2010 8:50 pm    Post subject: Reply with quote

jeromeBis wrote:
Hi,

Sorry, I've been out for 2 weeks ;)

Here is the result of "eselect profile show":
Code:

Current make.profile symlink:
  default/linux/amd64/10.0


aint a hardened profile :)

hardened shows as

Code:

 # eselect profile show
Current make.profile symlink:
  hardened/linux/amd64/10.0


check eselect profile list to see available options. If you opt to change to a hardened profile at some point, make sure you sift through the Hardened doc before doing so. It describes how to do this and rebuild your system in detail
_________________
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash
Back to top
View user's profile Send private message
phajdan.jr
Retired Dev
Retired Dev


Joined: 23 Mar 2006
Posts: 1777
Location: Poland

PostPosted: Tue Apr 27, 2010 5:35 am    Post subject: Reply with quote

The profile is not so relevant here. The process visibility restriction is implemented in the kernel. I bet you're using hardened-sources (you can check with "uname -a" and "eselect kernel list").
_________________
http://phajdan-jr.blogspot.com/
Back to top
View user's profile Send private message
cach0rr0
Bodhisattva
Bodhisattva


Joined: 13 Nov 2008
Posts: 4123
Location: Houston, Republic of Texas

PostPosted: Tue Apr 27, 2010 6:30 am    Post subject: Reply with quote

phajdan.jr wrote:
The profile is not so relevant here. The process visibility restriction is implemented in the kernel. I bet you're using hardened-sources (you can check with "uname -a" and "eselect kernel list").



no, for sure, i agree, and I'm aware. I remember the menuconfig option quite well in fact, "restrict user access to /proc" or some such.

I'm going off on a tangent in case he's curious, pay me no mind :)
_________________
Lost configuring your system?
dump lspci -n here | see Pappy's guide | Link Stash
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum