|
[20100605]
|
Hiding other users' processes
Thus it was asked on #NetBSD:
<batence> I wanna set the top command work only for users process, not
for all system
<batence> in freebsd command is sysctl security.bsd.see_other_uids=0/1
<batence> but I dunno for netbsd
<batence> eg I don't want users see other uids
<batence> only which they owned
Looking at the output of "sysctl -a" didn'r show anything obvious,
but recalling the topic and with some digging, there actually
is a sysctl switch for that in NetBSD: security.models.bsd44.curtain=1
Here's an example top(1) output with the default setting (0).
My username is "feyrer", note that besides my processes,
other users' processes are shown as well:
load averages: 0.02, 0.01, 0.00; up 11+15:08:30 18:38:56
24 processes: 23 sleeping, 1 on CPU
CPU states: 0.0% user, 0.0% nice, 0.0% system, 0.0% interrupt, 100% idle
Memory: 71M Act, 51M Inact, 552K Wired, 5560K Exec, 110M File, 27M Free
Swap: 512M Total, 335M Used, 178M Free
PID USERNAME PRI NICE SIZE RES STATE TIME WCPU CPU COMMAND
0 root 126 0 0K 16M pgdaemon 5:41 0.00% 0.00% [system]
492 root 85 0 4792K 608K kqueue 0:06 0.00% 0.00% master
113 root 85 0 2908K 860K select 0:05 0.00% 0.00% dhclient
535 root 85 0 2900K 556K nanoslp 0:05 0.00% 0.00% cron
155 root 85 0 2932K 548K kqueue 0:05 0.00% 0.00% syslogd
496 postfix 85 0 4792K 888K kqueue 0:01 0.00% 0.00% qmgr
4409 feyrer 43 0 2984K 1240K CPU 0:00 0.00% 0.00% top
1197 root 85 0 8640K 3692K netio 0:00 0.00% 0.00% sshd
24830 root 85 0 8640K 3692K netio 0:00 0.00% 0.00% sshd
6949 feyrer 85 0 8640K 2828K select 0:00 0.00% 0.00% sshd
28093 feyrer 85 0 8640K 2828K select 0:00 0.00% 0.00% sshd
12391 feyrer 85 0 2132K 1876K pause 0:00 0.00% 0.00% tcsh
25579 feyrer 85 0 2132K 1876K pause 0:00 0.00% 0.00% tcsh
5773 postfix 85 0 4792K 1868K kqueue 0:00 0.00% 0.00% pickup
1929 root 85 0 2128K 1828K ttyraw 0:00 0.00% 0.00% tcsh
29212 root 85 0 2972K 1164K kqueue 0:00 0.00% 0.00% inetd
25972 root 85 0 2824K 1076K pause 0:00 0.00% 0.00% ksh
|
Likewise, I see a number of processes in ps(1):
% ps -aux | wc -l
26
Now let's change the sysctl:
# sysctl -d security.models.bsd44.curtain
security.models.bsd44.curtain: Curtain information about objects to users not owning them.
# sysctl -w security.models.bsd44.curtain=1
security.models.bsd44.curtain: 0 -> 1
After this, the top(1) output looks like this:
load averages: 0.02, 0.01, 0.00; up 11+15:08:45 18:39:11
5 processes: 4 sleeping, 1 on CPU
CPU states: 0.0% user, 0.0% nice, 0.2% system, 0.0% interrupt, 99.8% idle
Memory: 71M Act, 51M Inact, 552K Wired, 5416K Exec, 110M File, 28M Free
Swap: 512M Total, 335M Used, 178M Free
PID USERNAME PRI NICE SIZE RES STATE TIME WCPU CPU COMMAND
4409 feyrer 43 0 2984K 1240K CPU 0:00 0.00% 0.00% top
28093 feyrer 85 0 8640K 2828K select 0:00 0.00% 0.00% sshd
6949 feyrer 85 0 8640K 2828K select 0:00 0.00% 0.00% sshd
12391 feyrer 85 0 2132K 1876K pause 0:00 0.00% 0.00% tcsh
25579 feyrer 85 0 2132K 1876K pause 0:00 0.00% 0.00% tcsh
|
This reduced set of processes is also shown in ps(1):
% ps -aux | wc -l
7
In other words, only my processes are displayed.
(If you wonder about the difference between the 7 processes shown
in top and the seven ps(1)-lines: the latter includes
a heading).
Note that this "filtering" does not apply to the root
user, i.e. he can still see all processes.
[Tags: curtain, ps, secmodel, Security, top]
|
