Restrict ps to show only user own processes on Debian Etch.

tmee · 05-22-2008, 05:07 PM

Sup,

I'm about to limit ps-command output to list only user current processes.
I've created a bash-script to /bin/ps and moved original ps to ps123.
My bash-script works now well, after hours with nano & Google.
The script is a bit tricky since I wanted '/bin/sh /bin/ps' and 'sed ...'-rows out of the list.

Code:

#!/bin/sh

echo "Running processes for user $USER"
echo

procs=`/bin/ps123 -u $USER -U $USER u | (sed -e '/bin\/ps123/d' -e '/bin\/ps/d' -e '$d')`
echo "$procs" | (sed -e 's/$/\ /')

exit 1

My only problem is how to make this script unreadable but executable?
I don't want, that users can read the script above so I'm asking help here.
Tried to chmod & chgrp - with no effect. The script can only be (readable and executable) or (unreadable and unexecutable).

My advices are finished, yours ll'be appreciated!

Regards,
tme

unSpawn · 05-22-2008, 05:36 PM

If users can 0) walk /proc, 1) find ps123, 2) write scripts, 3) introduce or 4) compile binaries or 5) use other binaries that provide process listing, your scheme fails (...). So I wonder what you're trying to accomplish. If this is for an exposed machine that must stand some abuse (for example a shell account servers) I'd suggest you use the GRSecurity patch because even without using its RBAC features you get a lot of security-related improvements including compartmentalisation so an UID can only see the processes it has rights for.

chrism01 · 05-22-2008, 07:29 PM

As per nnSpawn, and just to clarify, it is a fact that script files (bash, perl etc) must be readable as well as executable to run.
Only true binaries e.g. compiled C progs can get away with just being executable.

tmee · 05-23-2008, 02:35 AM

Thank you unSpawn & chrism01!

Yes, I have couple shell-accounts on my chrooted server.
The Grsecurity-patch sound like a good plan, but I am running
kernel 2.6.18.8-xenU and I've no idea how to patch it into xen-kernel!

I found this page with Google: HOWTO: Installing Grsecurity patched kernel in debian/ubuntu

Advices?

Regards,
tme

unSpawn · 05-23-2008, 07:47 PM

See this GRSecurity.net forum thread, it shows it works. Go ahead and try I'd say.

maccy44 · 01-25-2011, 08:43 PM

If you dont want to mess with the kernel, then change the script like this:

#!/bin/sh

PSUSER=`/usr/bin/whoami`
now=$(date +"%R")
if [ "$PSUSER" != "root" ]
then
procs=`/bin/woot -u $USER -U $USER u | (sed -e '/bin\/woot/d' -e '/bin\/ps/d' -e '$d')`
else
procs=`/bin/woot aux`
fi
echo "$procs" | (sed -e 's/$/\ /')
echo "$USER 15231 0.0 0.0 4016 684 pts/0 S+ $now 0:00 ps"
exit 1

Then it would output all for root and the user would see current processes and ps. Since when you run ps, it is still showed at the bottom. Just a bit more convincing.
Peace;

J