Very Computer

I'm just beginning to set up a machine running Red Hat Linux 6.0

What I would like to do is make it so people 'feel alone' on the box. What I
mean is when they type 'w' they only see their own sessions logged in; when
the type 'top' only their processes are mentioned (and likewise for 'ps'). I
know this is possible as I have seen it done; but just don't know how.

I'm hoping one of you guys does!

All the best,

Ollie

Interesting idea. You could put each of them in their own chroot jail,
and mount a proc file system on each. That'd get you a bit of the way.
You'd then have to doctor the proc fs code to only show their own
processes. That'd kill top and ps looksees. For w, you need to doctor
utmp, in some way that I can't imagine.

: know this is possible as I have seen it done; but just don't know how.

Then you know more than me. The easiest thing is to tell them not to
use top and ps! Or use your own versions. You can get a way by
configuring the apps the way you want, but they'll always be able to
run their own.

: I'm hoping one of you guys does!

I don't see how it could even be possible. You'd have to make various
important daemon processes invisible too.

Peter

This is an example of 'vdir /proc' on the machine which makes users "feel
alone".

dr-xr-x---   3 user1    root            0 Feb  5 14:41 26641/
dr-xr-x---   3 user1    root            0 Feb  5 14:41 26643/
dr-xr-x---   3 user2    root            0 Feb  5 14:41 2693/

As you can see, in this setup the process information is only readable by
the owner and root.

In my vanilla RH6.0 setup I get the following:

dr-xr-xr-x   3 ollie    ollie           0 Feb  5 13:41 23612
dr-xr-xr-x   3 ollie    ollie           0 Feb  5 13:41 23613
dr-xr-xr-x   3 root     root            0 Feb  5 13:41 23913

These are, obviously, readable by everyone.

I assume it is the above system that is causing 'top', 'w' and 'ps' to only
report the current user's details.

So, the overriding question is... how do I set my system up like that?

All the best,

Ollie

: This is an example of 'vdir /proc' on the machine which makes users "feel
: alone".

: dr-xr-x---   3 user1    root            0 Feb  5 14:41 26641/
: dr-xr-x---   3 user1    root            0 Feb  5 14:41 26643/
: dr-xr-x---   3 user2    root            0 Feb  5 14:41 2693/

: As you can see, in this setup the process information is only readable by
: the owner and root.

But you can still see that another process uid is running!

: In my vanilla RH6.0 setup I get the following:

: dr-xr-xr-x   3 ollie    ollie           0 Feb  5 13:41 23612
: dr-xr-xr-x   3 ollie    ollie           0 Feb  5 13:41 23613
: dr-xr-xr-x   3 root     root            0 Feb  5 13:41 23913

: These are, obviously, readable by everyone.

It doesn't matter. top could trivially still read them if it were suid.

: So, the overriding question is... how do I set my system up like that?

Obviously you can simply change the mask in the proc_fs code. I regret I
can't see where straight off. It might be in array.c by the look.  I don't
know if newer kernels have a configure option to do it. Check the uname -r
output on the machine you are looking at.

Peter

Quote:> But you can still see that another process uid is running!

Quote:

> : In my vanilla RH6.0 setup I get the following:

> : dr-xr-xr-x   3 ollie    ollie           0 Feb  5 13:41 23612
> : dr-xr-xr-x   3 ollie    ollie           0 Feb  5 13:41 23613
> : dr-xr-xr-x   3 root     root            0 Feb  5 13:41 23913

> : These are, obviously, readable by everyone.

> It doesn't matter. top could trivially still read them if it were suid.

Quote:> : So, the overriding question is... how do I set my system up like that?

> Obviously you can simply change the mask in the proc_fs code. I regret I
> can't see where straight off. It might be in array.c by the look.  I don't
> know if newer kernels have a configure option to do it. Check the uname -r
> output on the machine you are looking at.

Where do we go from here?; I had a look at a kernel recompile and couldn't
see anything in there that would do the business.

Quote:> Peter

:> Obviously you can simply change the mask in the proc_fs code. I regret I
:> can't see where straight off. It might be in array.c by the look.  I don't
:> know if newer kernels have a configure option to do it. Check the uname -r
:> output on the machine you are looking at.

: 2.2.12 on the "alone" machine and 2.2.5-22 on mine

I'm running 2.2.10 and I don't know about such an option either (not that
I've looked ...).

: Where do we go from here?; I had a look at a kernel recompile and couldn't
: see anything in there that would do the business.

I assume they've made an alteration to the proc_fs dirs perms in the proc_fs code. Can
one mount the proc dir with a mask? Hmm ... try umask=022. Ask the people with the
kernel for their patch!

Peter