Quote:
Originally Posted by brianmcgee
I don't want that the regular user may explore what processes are running on the system by other users/root.
|
Any particularly compelling reason why not? (Just curious if this is an "official" requirement of sorts or just a misunderstanding of discretionary access rights.)
Quote:
Originally Posted by brianmcgee
How may RHEL 4/5 be restricted in that way? One possibility would be XEN and a seperate virtual machine per user. But I want all users to share the same machine.
|
GRsecurity has a sysctl to limit scope of processes to their owner, RSBAC apparently has something similar called "CAP process hiding" and SELinux I don't know (and I haven't yet tried having both SELinux and GRSecurity in one kernel). These are invasive methods since they require a kernel patch but acceptable and mainstream solutions. I don't know any solid userland implementations (think syscall interception with an LD_PRELOAD) and while I've seen people in other threads mess with like replacing /bin/ps with a script that basically does something like "/some/path/ps.old U $UID", IMHO those kludges are easy to circumvent (introduce something like Busybox or your own procps utils, walk /proc, locate old binary or use other utilities).