LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-08-2007, 11:09 AM   #1
cad
Member
 
Registered: Dec 2006
Distribution: Fedora core 4
Posts: 92

Rep: Reputation: 15
hide processes


Is there a way by which I can hide my processes from other users if
1) I am the root
2) If i am not the root
 
Old 01-08-2007, 11:14 AM   #2
Simon Bridge
LQ Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Rep: Reputation: 198Reputation: 198
Depends what you want to hide, and what from. Can you be specific?
 
Old 01-08-2007, 11:19 AM   #3
cad
Member
 
Registered: Dec 2006
Distribution: Fedora core 4
Posts: 92

Original Poster
Rep: Reputation: 15
Suppose I am running vi or mplayer or anything like that and I dont want that anybody who logs in should get to see my processes using ps -aux
Please help me
 
Old 01-08-2007, 11:38 AM   #4
cad
Member
 
Registered: Dec 2006
Distribution: Fedora core 4
Posts: 92

Original Poster
Rep: Reputation: 15
When I enter w none of these users appear but when I type ps -aux user1,2,3 appear.
Please explain the mystery


user1 6992 0.0 0.8 46424 8888 ? S Jan07 0:02 /usr/bin/artsd -F 10 -S 4096 -s 60 -m artsmessage -l 3 -f
user2 15099 0.0 0.6 10644 7088 ? S 14:03 0:00

/usr/libexec/gconfd-2 5
user2 15358 0.0 0.4 11176 4560 ? TN 14:29 0:00 /usr/libexec/xscreensaver/stairs -root
root 15391 0.0 0.3 11984 3472 ? S 14:32 0:00 /usr/bin/gdm-binary -nodaemon
root 15414 3.2 6.1 70560 63540 ? R 14:32 16:52 /usr/X11R6/bin/X :0 -audit 0 -auth /var/gdm/:0.Xauth vt7
user3 17244 0.0 0.8 25004 8288 ? S 17:58 0:04 /usr/bin/artsd -F 10 -S 4096 -s 60 -m artsmessage -l 3 -f
 
Old 01-08-2007, 11:42 AM   #5
raskin
Senior Member
 
Registered: Sep 2005
Location: France
Distribution: approximately NixOS (http://nixos.org)
Posts: 1,900

Rep: Reputation: 69
I guess it is not possible for non-root. Kernel creates entries in /proc, and ps -aux reads it. To change this, you'll need to exploit a vulnerability, I guess.
 
Old 01-08-2007, 11:43 AM   #6
cad
Member
 
Registered: Dec 2006
Distribution: Fedora core 4
Posts: 92

Original Poster
Rep: Reputation: 15
sorry for this !

Last edited by cad; 01-08-2007 at 11:47 AM.
 
Old 01-08-2007, 11:45 AM   #7
raskin
Senior Member
 
Registered: Sep 2005
Location: France
Distribution: approximately NixOS (http://nixos.org)
Posts: 1,900

Rep: Reputation: 69
'w' shows logged in users, these users have gone through some login procedure, like entering login and password. But processes can get ownership through user switch, like when you run SUID binaries. This is not a login.
 
Old 01-08-2007, 11:48 AM   #8
cad
Member
 
Registered: Dec 2006
Distribution: Fedora core 4
Posts: 92

Original Poster
Rep: Reputation: 15
Is it somehow possible using nohup
 
Old 01-09-2007, 10:28 PM   #9
Simon Bridge
LQ Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Rep: Reputation: 198Reputation: 198
Of course, if you are the system administrator, it is trivial to stop everyone who is not you from probing for active processes: you stop their permission.
chmod o-x /bin/ps
Every time someone other than root tries to execute ps -aux, they get "permission denied".

If you want to hide your own activity from everybody on a network (which you are not the admin for) then this is tricky to do and trickier to justify.
 
Old 01-10-2007, 01:12 AM   #10
raskin
Senior Member
 
Registered: Sep 2005
Location: France
Distribution: approximately NixOS (http://nixos.org)
Posts: 1,900

Rep: Reputation: 69
Sorry, but system administrator who will just break ps for everybody and think he has hidden everything will make a big mistake.
find /proc -mindepth 2 -maxdepth 2 -name cmdline 2>/dev/null | while read; do cat "$REPLY"; echo; done
 
Old 01-10-2007, 06:04 AM   #11
Simon Bridge
LQ Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Rep: Reputation: 198Reputation: 198
Quote:
Sorry, but system administrator who will just break ps for everybody and think he has hidden everything will make a big mistake.
Doesn't block finger either.

One could take steps to disable many approaches - but the only way I can think of to completely hide would be to isolate the machine I'm working on (firewall or unplug from the network).

I suppose one may write something to run in the background, intercepting attempts to read the content of /proc (say) and return dummy strings... but my main concern is: why would you want to?

One reason may be to track down a black-hat who is actively on the network... somehow I suspect this is not the reason here. However, I am prepared to be proved wrong.
 
Old 01-10-2007, 06:42 AM   #12
raskin
Senior Member
 
Registered: Sep 2005
Location: France
Distribution: approximately NixOS (http://nixos.org)
Posts: 1,900

Rep: Reputation: 69
I would do it with a FUSE filesystem in /proc, while real proc is root-readable-only. May even work!
 
Old 01-10-2007, 07:52 PM   #13
Simon Bridge
LQ Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Rep: Reputation: 198Reputation: 198
Cute... something you'd have to set up as administrator though isn't it?

It's kinda a neat question for admins, since information about what is going on on the network is going to be important for all kinds of things. I'd imagine that a user hiding processes would be a concern.

I guess one could sit down at a machine on someones network and hide what one does on that machine from the network... one could reboot the machine to a live distro (for eg.) reconfigure the machine and exit.

This would mean that the machine spends some time disconnected from the network and it's servers... creating a log entry somewhere depending how it was set up.

But here, you see, I'm talking about compromising a network yet again.

So I still think the "why" part is important.
 
Old 01-11-2007, 02:32 AM   #14
raskin
Senior Member
 
Registered: Sep 2005
Location: France
Distribution: approximately NixOS (http://nixos.org)
Posts: 1,900

Rep: Reputation: 69
Surely you have! If you can get information about your processes, root also can. Maybe with some kernel security tricks this situation is possible to avoid, but it will be called removing root...

If root allows users to hide processes from each other - but not from root - it can give some security through obscurity benefits (if you do have good security obscurity can improve it a bit) and, what may be more important it can give some privacy or secrecy when it is needed (and root logins are guaranteed to happen only in well-controlled circumstances and with supervision).
 
Old 01-11-2007, 04:15 AM   #15
Simon Bridge
LQ Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Rep: Reputation: 198Reputation: 198
Quote:
Surely you have!
What? You've lost me... I need the context there dude.
Quote:
If root allows users to hide processes from each other - but not from root - it can give some security through obscurity benefits
Sure - someone could sit on the network watching other users processes to see if there are any habits which could be exploited... if users processes are private, this cannot happen.
Quote:
what may be more important it can give some privacy or secrecy when it is needed
The privacy aspect is still there - who cares that a user has vi running when you cannot tell what is being edited? The actual writing is still private (except to folk actually in the same room and looking over the user's shoulder... in the end, privacy is a gentleman's agreement. When privacy is enforced with security, it risks becoming a competition -- a challenge.
Quote:
(and root logins are guaranteed to happen only in well-controlled circumstances and with supervision).
rotfl
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Is it possible to hide my ip ?? megaprog Debian 18 04-24-2016 07:38 AM
Hide X tux06 Debian 7 10-14-2006 12:25 PM
How to hide IP Address swiftsage Fedora 3 09-02-2005 12:05 PM
monitoring active processes and identifying the required processes. gajaykrishnan Programming 2 08-13-2004 01:58 AM
Need to hide bootloader ScribeOfTheNile Linux - Newbie 5 11-21-2003 07:42 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:55 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration