Prevent one user from seeing another's processes?

[SagaciousKJB]

Hi, I've been using a program that requires me to enter a key on the command line when it is ran. My worry here is that another user on my system could do a simple "ps" command and list the arguments, also seeing my key.

Is there anyway to prevent other users from seeing processes launched by another user? I tried changing permissions on the specific folder for the process in /proc/ but I keep getting a message that changing those permissions is not permitted.


If there is not a way to do this, is there a simple way to prevent users from running commands like "ps" that could display this during the time it takes me to run the program?

[i92guboj]

Hi, I've been using a program that requires me to enter a key on the command line when it is ran. My worry here is that another user on my system could do a simple "ps" command and list the arguments, also seeing my key.

Is there anyway to prevent other users from seeing processes launched by another user? I tried changing permissions on the specific folder for the process in /proc/ but I keep getting a message that changing those permissions is not permitted.


If there is not a way to do this, is there a simple way to prevent users from running commands like "ps" that could display this during the time it takes me to run the program?

Not that I know of. Even if you restrict the usage of ps, a given user can still download an rpm or compile it him/herself (though you can always mount the home directories as noexec.

The usage of passwords on command line is not usually enforced and is not recommended, because everyone can see what you type. No need to use ps.

If the program does this kind of insecure stuff, you should probably look on an alternative or modify it to read the passwords from a file, it shouldn't be difficult.

[SagaciousKJB]

Not that I know of. Even if you restrict the usage of ps, a given user can still download an rpm or compile it him/herself (though you can always mount the home directories as noexec.

The usage of passwords on command line is not usually enforced and is not recommended, because everyone can see what you type. No need to use ps.

If the program does this kind of insecure stuff, you should probably look on an alternative or modify it to read the passwords from a file, it shouldn't be difficult.

Yeah, it's actually a program I wrote, and I've just been not wanting to write the extra code needed to grab the key from stdin and a file too, but that using a file for the key, that is a damn good idea that just didn't occur to me before. Thanks a lot.

[Nautilus]

Well... It seems like you need to modify your program in order to read the key from a file instead of the command line...

[i92guboj]

In C you just need a line for a new file pointer var, a line for fopen, then to seek and read and finally to parse it and assign it to a variable. This is really little effort, and will save you lots of trouble. It might depend on the language you used, but it should not be complicated at all. Only a few lines and minor modifications.

[SagaciousKJB]

Well, the problem I'm having with that is if I open a file from stdin ( this is an encryption program) to be encrypted, then I am no longer able to grab the key from stdin or user input. The only thing I can think of to solve this is to make a buffer, and I'm not really advanced in C enough to really do that.

[anomie]

Is there anyway to prevent other users from seeing processes launched by another user?

In FreeBSD there's a sysctl MIB:
security.bsd.see_other_uids

When set to 0 it will accomplish what you're asking. I am not sure if something similar exists in GNU/Linux land (and I don't have a Linux box in front of me at the moment).

Maybe someone knows.

[i92guboj]

In FreeBSD there's a sysctl MIB:
security.bsd.see_other_uids

When set to 0 it will accomplish what you're asking. I am not sure if something similar exists in GNU/Linux land (and I don't have a Linux box in front of me at the moment).

Maybe someone knows.

Again, not as far as I know.

The easiest workaround would be this:

echo "<password>" > keyfile
./myprogram $(cat keyfile)

This way ps will show nothing important.

Make sure you chmod it adequately, since anyone looking at ps will know on which file to look to get the password.

EDITED: I also think that the grsecurity patches might do that, but I can't confirm it.

[i92guboj]

Well, the problem I'm having with that is if I open a file from stdin ( this is an encryption program) to be encrypted, then I am no longer able to grab the key from stdin or user input. The only thing I can think of to solve this is to make a buffer, and I'm not really advanced in C enough to really do that.

I don't know what do you mean. You just need to open the keys file when starting, read the key, and close the file pointer.

After that, your program would continue just like it is now, without modifications. Just put the key on the same var you used to hold it before and the rest of the code shouldn't need any change.

I can't be any more accurate since I haven't seen the source.

If you have specific questions about the code, you might want to post it to the programming subforum, where you'll get a better chance to have it answered.