> Dennis Clarke wrote:
>>
>> I personally have always wondered why the ps command display what root is
>> doing to ordinary users like as if it is any of their business but that
>> is another idea I just let rattle around in my head.
>>
>
> Dennis,
>
> You can do this (in Solaris 10 and up) by taking away the proc_info
> privilege from a user.
>
> $ ppriv -vl proc_info
> proc_info
> Allows a process to examine the status of processes other
> than those it can send signals to. Processes which cannot
> be examined cannot be seen in /proc and appear not to exist.
>
> To take away proc_info from user xyz you would add the following entry
> to /etc/user_attr:
>
> xyz::::defaultpriv=basic,!proc_info
>
ooooooh ... one moment .. I have to try that right now !
$ uname -a
SunOS pluto 5.8 Generic_117350-41 sun4u sparc SUNW,Ultra-2
$ who am i
dclarke pts/2 Jan 14 03:33 (titan)
$ ps -ef | wc -l
43
# cat /etc/user_attr
# Copyright (c) 1999 by Sun Microsystems, Inc. All rights reserved.::::
#::::
# /etc/user_attr::::
#::::
# user attributes. see user_attr(4)::::
#::::
#pragma ident "@(#)user_attr 1.2 99/07/14 SMI"::::
#::::
root::::type=normal;auths=solaris.*,solaris.grant;profiles=All
#
# remove the right to inspect processes to which a user can not send signals
# essentially make other processes private if the pid is not owned by username
dclarke::::defaultpriv=basic,!proc_info
#
okay ..
$ ps -ef | wc -l
43
I'll logout and then backin ...
$ ps -ef | wc -l
43
OKay .. so not a function that works in Solaris 8
Let's look at s10u2 :
$ uname -a
SunOS titan 5.10 Generic_118855-19 i86pc i386 i86pc
$ cat /etc/release
Solaris 10 6/06 s10x_u2wos_09a X86
Copyright 2006 Sun Microsystems, Inc. All Rights Reserved.
Use is subject to license terms.
Assembled 09 June 2006
$ ppriv -vl proc_info
proc_info
Allows a process to examine the status of processes other
than those it can send signals to. Processes which cannot
be examined cannot be seen in /proc and appear not to exist.
$
OKay .. we can expect it to work here then ...
$ ps -ef | wc -l
86
$
# Copyright (c) 2003 by Sun Microsystems, Inc. All rights reserved.
#
# /etc/user_attr
#
# user attributes. see user_attr(4)
#
#pragma ident "@(#)user_attr 1.1 03/07/09 SMI"
#
adm::::profiles=Log Management
lp::::profiles=Printer Management
root::::auths=solaris.*,solaris.grant;profiles=Web Console
Management,All;lock_a
fter_retries=no
#
# remove the right to inspect processes to which a user can not send signals
# essentially make other processes private if the pid is not owned by username
dclarke::::defaultpriv=basic,!proc_info
~
~
~
~
~
~
"/etc/user_attr" 16 lines, 537 characters
$ ps -ef | wc -l
86
$
I guess I have to totally logout and then back in again ...
... and since I have a dozen things going here .. I'll try this tomorrow
Thanks for the pointer
Dennis
_______________________________________________
opensolaris-discuss mailing list
opensolaris-discuss@opensolaris.org
