On Thu, Feb 17, 2005 at 03:41:19PM -0800, Andrew Morton wrote: > Rene Scharfe <[EMAIL PROTECTED]> wrote: > > > > Add proc.umask kernel parameter. It can be used to restrict permissions > > on the numerical directories in the root of a proc filesystem, i.e. the > > directories containing process specific information. > > > > E.g. add proc.umask=077 to your kernel command line and all users except > > root can only see their own process details (like command line > > parameters) with ps or top. It can be useful to add a bit of privacy to > > multi-user servers. > > > > The patch has been inspired by a similar feature in GrSecurity. > > > > It could have also been implemented as a mount option to procfs, but at > > a higher cost and no apparent benefit -- changes to this umask are not > > supposed to happen very often. Actually, the previous incarnation of > > this patch was implemented as a half-assed mount option, but I didn't > > know then how easy it is to add a kernel parameter. > > The feature seems fairly obscure, although very simple. > Is anyone actually likely to use this?
what about parents (and especially the init process) some tools like pstree (or ps in certain cases) depend on their visibility/accessability ... was this tested except for the trivial case where just plain everything is visible? what if you want to change it afterwards (when tools did break)? best, Herbert > > +static umode_t umask = 0; > > a) I think the above should be called proc_umask. > > b) You shouldn't initialise it. > > c) When adding a kernel parameter you should update > Documentation/kernel-parameters.txt > - > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in > the body of a message to [EMAIL PROTECTED] > More majordomo info at http://vger.kernel.org/majordomo-info.html > Please read the FAQ at http://www.tux.org/lkml/ - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
