Re: patch: hide processes non owned by a user

Tue, 27 Jan 2015 05:38:49 -0800 

On 01/27/2015 08:26 AM, Renaud Allard wrote:

Hello,

I wrote a patch which adds a new kernel sysctl (hideproc) to hide
processes non owned by a user, except for root. This should be mostly
useful on shell servers and on servers with chroots.

I know some controversial patches have been presented in the past, but
this one only does only one thing and should have a small enough impact.

While writing it, I was using a snapshot of about 1 week old, and the
patch didn't work for a reason I have not found. But it works fine on
5.6 (that's why this one applies to 5.6). So there might be or have been
a regression somewhere.


OK, it seems my patch was a little bit mangled for some reason.
Here you can find the full patch (including man pages) which works against -current 

https://arnor.org/OpenBSD/hideproc.txt

Index: lib/libc/gen/sysctl.3
===================================================================
RCS file: /cvs/src/lib/libc/gen/sysctl.3,v
retrieving revision 1.246
diff -u -p -u -r1.246 sysctl.3
--- lib/libc/gen/sysctl.3       22 Dec 2014 03:33:18 -0000      1.246
+++ lib/libc/gen/sysctl.3       27 Jan 2015 13:33:09 -0000
@@ -466,6 +466,7 @@ information.
 .It Dv KERN_USERMOUNT Ta "integer" Ta "yes"
 .It Dv KERN_VERSION Ta "string" Ta "no"
 .It Dv KERN_WATCHDOG Ta "node" Ta "not applicable"
+.It Dv KERN_HIDEPROC Ta "integer" Ta "yes"
 .El
 .Bl -tag -width "123456"
 .It Dv KERN_ARGMAX
@@ -1071,6 +1072,9 @@ variable.
 .It Dv KERN_WATCHDOG_PERIOD
 The period of the watchdog timer in seconds.
 Set to 0 to disable the watchdog timer.
+.It Dv KERN_HIDEPROC
+If set to 1, the kernel will only list processes belonging to the user
+making the call, except if the user is root.
 .El
 .El
 .Ss CTL_MACHDEP
Index: sbin/sysctl/sysctl.8
===================================================================
RCS file: /cvs/src/sbin/sysctl/sysctl.8,v
retrieving revision 1.186
diff -u -p -u -r1.186 sysctl.8
--- sbin/sysctl/sysctl.8        12 Dec 2014 08:42:48 -0000      1.186
+++ sbin/sysctl/sysctl.8        27 Jan 2015 13:33:11 -0000
@@ -197,6 +197,7 @@ and a few require a kernel compiled with
 .It kern.maxlocksperuid Ta integer Ta yes
 .It kern.bufcachepercent Ta integer Ta yes
 .It kern.consdev Ta string Ta no
+.It kern.hideproc Ta integer Ta yes
 .It kern.global_ptrace Ta integer Ta yes
 .It vm.vmmeter Ta struct Ta no
 .It vm.loadavg Ta struct Ta no
Index: sys/kern/kern_sysctl.c
===================================================================
RCS file: /cvs/src/sys/kern/kern_sysctl.c,v
retrieving revision 1.279
diff -u -p -u -r1.279 kern_sysctl.c
--- sys/kern/kern_sysctl.c      20 Jan 2015 19:43:21 -0000      1.279
+++ sys/kern/kern_sysctl.c      27 Jan 2015 13:33:11 -0000
@@ -245,6 +245,7 @@ int hostnamelen;
 char domainname[MAXHOSTNAMELEN];
 int domainnamelen;
 long hostid;
+int hideproc;
 char *disknames = NULL;
 struct diskstats *diskstats = NULL;
 #ifdef INSECURE
@@ -594,6 +595,8 @@ kern_sysctl(int *name, u_int namelen, vo
                return sysctl_rdstruct(oldp, oldlenp, newp, &dev, sizeof(dev));
        case KERN_NETLIVELOCKS:
                return (sysctl_rdint(oldp, oldlenp, newp, net_livelocks));
+       case KERN_HIDEPROC:
+               return(sysctl_int(oldp, oldlenp, newp, newlen, &hideproc));
        case KERN_POOL_DEBUG: {
                int old_pool_debug = pool_debug;

@@ -1372,6 +1375,17 @@ again:
                 * Skip embryonic processes.
                 */
                if (pr->ps_flags & PS_EMBRYO)
+                       continue;
+
+               /*
+               * Only show user owned processes if hideproc flag is set
+               * or the last exec gave us setuid/setgid privs
+               * (unless you're root).
+               */
+
+               if ( hideproc > 0 && (pr != curproc->p_p &&
+                       (pr->ps_ucred->cr_ruid != curproc->p_ucred->cr_ruid ||
+                       (pr->ps_flags & PS_SUGID)) && suser(curproc, 0) != 0))
                        continue;

                /*
Index: sys/sys/sysctl.h
===================================================================
RCS file: /cvs/src/sys/sys/sysctl.h,v
retrieving revision 1.154
diff -u -p -u -r1.154 sysctl.h
--- sys/sys/sysctl.h    13 Jan 2015 10:07:58 -0000      1.154
+++ sys/sys/sysctl.h    27 Jan 2015 13:33:11 -0000
@@ -184,7 +184,8 @@ struct ctlname {
 #define        KERN_GLOBAL_PTRACE      81      /* allow ptrace globally */
 #define        KERN_CONSBUFSIZE        82      /* int: console message buffer 
size */
 #define        KERN_CONSBUF            83      /* console message buffer */
-#define        KERN_MAXID              84      /* number of valid kern ids */
+#define KERN_HIDEPROC          84      /* int: system hide other procs */
+#define        KERN_MAXID              85      /* number of valid kern ids */

 #define        CTL_KERN_NAMES { \
        { 0, 0 }, \
@@ -269,6 +270,9 @@ struct ctlname {
        { "proc_nobroadcastkill", CTLTYPE_NODE }, \
        { "proc_vmmap", CTLTYPE_NODE }, \
        { "global_ptrace", CTLTYPE_INT }, \
+       { "gap", 0 }, \
+       { "gap", 0 }, \
+       { "hideproc", CTLTYPE_INT }, \
 }

 /*

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to