Patch: Hide process info from other users/users not in my group

Thu, 22 Nov 2007 10:45:07 -0800 

Hi,

this patch provides three new kernel options and restricts the access modes of
/proc/<pid>-dirs either to 550 or 500 in order to provide some privacy to
users. Tools like lsof and ps to spy out on other users become
ineffective. The options are added at File system drivers -> Pseudo Filesystems
-> proc. Maybe somebody's interested.

cu,

Daniel

--- linux-2.6.23.8/fs/Kconfig   2007-11-16 19:14:27.000000000 +0100
+++ linux-2.6.23.8-dhr/fs/Kconfig       2007-11-20 19:54:54.000000000 +0100
@@ -918,6 +918,36 @@
         help
         Exports the dump image of crashed kernel in ELF format.

+choice
+       prompt "Restrict access to /proc/<pid>-dirs"
+       default PROC_PIDDIRS_UNRESTRICTED
+config PROC_PIDDIRS_UNRESTRICTED
+       bool "no restriction"
+       depends on PROC_FS
+       help
+         Don't restrict access to /proc/<pid>-dirs, i.e. leave mode at 555
+         respectively r-xr-xr-x . This is the traditional mode of operation.
+
+         If unsure, say Y.
+config PROC_PIDDIRS_RESTRICT_TO_UG
+       bool "restrict to user and group
+       depends on PROC_FS
+       help
+         Restrict access to /proc/<pid>-dirs to user and group, i.e. set mode
+         to 550 respectively r-xr-x--- .
+
+         If unsure, say N.
+
+config PROC_PIDDIRS_RESTRICT_TO_U
+       bool "restrict to user
+       depends on PROC_FS
+       help
+         Restrict access to /proc/<pid>-dirs to user only, i.e. set mode to
+         500 respectively r-x------ .
+
+         If unsure, say N.
+endchoice
+
 config PROC_SYSCTL
        bool "Sysctl support (/proc/sys)" if EMBEDDED
        depends on PROC_FS
--- linux-2.6.23.8/fs/proc/base.c       2007-11-16 19:14:27.000000000 +0100
+++ linux-2.6.23.8-dhr/fs/proc/base.c   2007-11-21 10:44:17.000000000 +0100
@@ -2200,7 +2200,13 @@
        if (!inode)
                goto out;

+#if defined CONFIG_PROC_PIDDIRS_UNRESTRICTED
        inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
+#elif defined CONFIG_PROC_PIDDIRS_RESTRICT_TO_UG
+       inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
+#elif defined CONFIG_PROC_PIDDIRS_RESTRICT_TO_U
+       inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
+#endif
        inode->i_op = &proc_tgid_base_inode_operations;
        inode->i_fop = &proc_tgid_base_operations;
        inode->i_flags|=S_IMMUTABLE;



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to