Herbert Poetzl <[EMAIL PROTECTED]> wrote: > On Thu, Feb 17, 2005 at 03:41:19PM -0800, Andrew Morton wrote: >> Rene Scharfe <[EMAIL PROTECTED]> wrote:
>> > Add proc.umask kernel parameter. It can be used to restrict permissions >> > on the numerical directories in the root of a proc filesystem, i.e. the >> > directories containing process specific information. >> > >> > E.g. add proc.umask=077 to your kernel command line and all users except >> > root can only see their own process details (like command line >> > parameters) with ps or top. It can be useful to add a bit of privacy to >> > multi-user servers. >> The feature seems fairly obscure, although very simple. >> Is anyone actually likely to use this? I'm using a openwall-patched kernel on some of my boxes with a similar feature. I did not yet test this patch, but I like it. It's cheap, and it fixes a potential security leak. > what about parents (and especially the init process) > some tools like pstree (or ps in certain cases) depend > on their visibility/accessability ... pstree will break if /proc/1 isn't readable, unless you specify a readable starting pid. Since this is not the default case, this is IMO ok. (It should be easy to rewrite it to trace the ppid-chains like "ps auxf" already does correctly, or rather implement it in ps where it belongs). None of my other tools seemed to stop working in an unintended way, but I don't usurally spend my time watching processes. Sample output of "ps auxf" on a openwall-patched system: USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND 7eggert 22504 5.0 3.5 2800 1608 pts/4 S 04:14 0:00 -bash 7eggert 22522 0.0 1.7 2856 792 pts/4 R 04:14 0:00 \_ ps auxf 7eggert 22483 2.3 3.4 2800 1588 pts/2 S 04:14 0:00 -bash > what if you want to change it afterwards (when tools > did break)? Change the kernel command line back and reboot (or reload the module). - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
