Find the answer to your Linux question:
Results 1 to 9 of 9
Hi, I've been using a program that requires me to enter a key on the command line when it is ran. My worry here is that another user on my ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Linux Newbie SagaciousKJB's Avatar
    Join Date
    Aug 2007
    Location
    Yakima, WA
    Posts
    162

    Prevent one user from seeing another's processes?


    Hi, I've been using a program that requires me to enter a key on the command line when it is ran. My worry here is that another user on my system could do a simple "ps" command and list the arguments, also seeing my key.

    Is there anyway to prevent other users from seeing processes launched by another user? I tried changing permissions on the specific folder for the process in /proc/ but I keep getting a message that changing those permissions is not permitted.


    If there is not a way to do this, is there a simple way to prevent users from running commands like "ps" that could display this during the time it takes me to run the program?

  2. #2
    Linux Guru
    Join Date
    Nov 2007
    Location
    Córdoba (Spain)
    Posts
    1,513
    Quote Originally Posted by SagaciousKJB View Post
    Hi, I've been using a program that requires me to enter a key on the command line when it is ran. My worry here is that another user on my system could do a simple "ps" command and list the arguments, also seeing my key.

    Is there anyway to prevent other users from seeing processes launched by another user? I tried changing permissions on the specific folder for the process in /proc/ but I keep getting a message that changing those permissions is not permitted.


    If there is not a way to do this, is there a simple way to prevent users from running commands like "ps" that could display this during the time it takes me to run the program?
    Not that I know of. Even if you restrict the usage of ps, a given user can still download an rpm or compile it him/herself (though you can always mount the home directories as noexec.

    The usage of passwords on command line is not usually enforced and is not recommended, because everyone can see what you type. No need to use ps.

    If the program does this kind of insecure stuff, you should probably look on an alternative or modify it to read the passwords from a file, it shouldn't be difficult.

  3. #3
    Linux Newbie SagaciousKJB's Avatar
    Join Date
    Aug 2007
    Location
    Yakima, WA
    Posts
    162
    Quote Originally Posted by i92guboj View Post
    Not that I know of. Even if you restrict the usage of ps, a given user can still download an rpm or compile it him/herself (though you can always mount the home directories as noexec.

    The usage of passwords on command line is not usually enforced and is not recommended, because everyone can see what you type. No need to use ps.

    If the program does this kind of insecure stuff, you should probably look on an alternative or modify it to read the passwords from a file, it shouldn't be difficult.
    Yeah, it's actually a program I wrote, and I've just been not wanting to write the extra code needed to grab the key from stdin and a file too, but that using a file for the key, that is a damn good idea that just didn't occur to me before. Thanks a lot.

  4. $spacer_open
    $spacer_close
  5. #4
    Just Joined! Nautilus's Avatar
    Join Date
    Jun 2007
    Location
    London,UK and Athens,GR
    Posts
    42

    Cool

    Well... It seems like you need to modify your program in order to read the key from a file instead of the command line...

  6. #5
    Linux Guru
    Join Date
    Nov 2007
    Location
    Córdoba (Spain)
    Posts
    1,513
    In C you just need a line for a new file pointer var, a line for fopen, then to seek and read and finally to parse it and assign it to a variable. This is really little effort, and will save you lots of trouble. It might depend on the language you used, but it should not be complicated at all. Only a few lines and minor modifications.

  7. #6
    Linux Newbie SagaciousKJB's Avatar
    Join Date
    Aug 2007
    Location
    Yakima, WA
    Posts
    162
    Well, the problem I'm having with that is if I open a file from stdin ( this is an encryption program) to be encrypted, then I am no longer able to grab the key from stdin or user input. The only thing I can think of to solve this is to make a buffer, and I'm not really advanced in C enough to really do that.

  8. #7
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    Quote Originally Posted by SagaciousKJB
    Is there anyway to prevent other users from seeing processes launched by another user?
    In FreeBSD there's a sysctl MIB:
    security.bsd.see_other_uids

    When set to 0 it will accomplish what you're asking. I am not sure if something similar exists in GNU/Linux land (and I don't have a Linux box in front of me at the moment).

    Maybe someone knows.

  9. #8
    Linux Guru
    Join Date
    Nov 2007
    Location
    Córdoba (Spain)
    Posts
    1,513
    Quote Originally Posted by anomie View Post
    In FreeBSD there's a sysctl MIB:
    security.bsd.see_other_uids

    When set to 0 it will accomplish what you're asking. I am not sure if something similar exists in GNU/Linux land (and I don't have a Linux box in front of me at the moment).

    Maybe someone knows.
    Again, not as far as I know.

    The easiest workaround would be this:

    echo "<password>" > keyfile
    ./myprogram $(cat keyfile)

    This way ps will show nothing important.

    Make sure you chmod it adequately, since anyone looking at ps will know on which file to look to get the password.

    EDITED: I also think that the grsecurity patches might do that, but I can't confirm it.

  10. #9
    Linux Guru
    Join Date
    Nov 2007
    Location
    Córdoba (Spain)
    Posts
    1,513
    Quote Originally Posted by SagaciousKJB View Post
    Well, the problem I'm having with that is if I open a file from stdin ( this is an encryption program) to be encrypted, then I am no longer able to grab the key from stdin or user input. The only thing I can think of to solve this is to make a buffer, and I'm not really advanced in C enough to really do that.
    I don't know what do you mean. You just need to open the keys file when starting, read the key, and close the file pointer.

    After that, your program would continue just like it is now, without modifications. Just put the key on the same var you used to hold it before and the rest of the code shouldn't need any change.

    I can't be any more accurate since I haven't seen the source.

    If you have specific questions about the code, you might want to post it to the programming subforum, where you'll get a better chance to have it answered.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •