/proc permissions

vlad031 · 11-18-2010, 07:08 PM

I'm looking for a kernel patch that will make new dirs in /proc to be 0550 instead of 0555... I'm building an hosting server and I don't want the users see what other processes are running on the sys...
What I want to achieve: when a new process gets started, it's "pid" directory will have 0550 perms...

I did some modifying on kernel/sysctl.c in the kernel code, but with no luck...

any ideas?!

cheers!

stress_junkie · 11-18-2010, 08:43 PM

You might have a look at SELinux. That is highly configurable. It's probably already installed in your system.

vlad031 · 11-18-2010, 09:35 PM

nope ... Selinux is not an option due to some implementation on my system which made me remove selinux... I'm looking strictly for an answer to my problem, not workarounds!
cheers!

win32sux · 11-18-2010, 09:45 PM

Quote:

Originally Posted by vlad031

I'm building an hosting server and I don't want the users see what other processes are running on the sys...

The grsecurity patch includes this functionality.

Well, it can make it so that a user only sees his/her own processes.

syg00 · 11-18-2010, 11:14 PM

I would have thought that if you were doing hosting, use a system designed for it from the ground up. The devs have ironed out all the problems you haven't even thought of. Containers provides this isolation "out of the box" with something like vserver.

vlad031 · 11-19-2010, 08:16 AM

Quote:

Originally Posted by win32sux

The grsecurity patch includes this functionality.

Well, it can make it so that a user only sees his/her own processes.

GREAT!!! That's exactly what I was looking for! Thanks a lot!