Re: KERNEL PATCH: add process hiding (fixed)

2016-12-04 Thread Ian Walker
Thanks, Michael. Leave it to me to forget to update the documentation..

Here's the patch with the manpage change:


Index: sys/kern/kern_sysctl.c
===
RCS file: /cvs/src/sys/kern/kern_sysctl.c,v
retrieving revision 1.320
diff -u -p -u -r1.320 kern_sysctl.c
--- sys/kern/kern_sysctl.c  11 Nov 2016 18:59:09 -  1.320
+++ sys/kern/kern_sysctl.c  4 Dec 2016 20:43:53 -
@@ -263,6 +263,7 @@ size_t disknameslen;
 struct diskstats *diskstats = NULL;
 size_t diskstatslen;
 int securelevel;
+int seeotheruids = 1; /* on by default */
 
 /*
  * kernel related system variables.
@@ -632,6 +633,13 @@ kern_sysctl(int *name, u_int namelen, vo
dnsjackport = port;
return 0;
}
+   case KERN_SEEOTHERUIDS: {
+   if (securelevel > 0)
+   return (sysctl_rdint(oldp, oldlenp, newp,
+   seeotheruids));
+   return (sysctl_int(oldp, oldlenp, newp, newlen,
+   ));
+   }
default:
return (EOPNOTSUPP);
}
@@ -1427,7 +1435,8 @@ sysctl_doproc(int *name, u_int namelen, 
int arg, buflen, doingzomb, elem_size, elem_count;
int error, needed, op;
int dothreads = 0;
-   int show_pointers;
+   int is_suser, show_pointers, show_otheruids;
+   uid_t euid;
 
dp = where;
buflen = where != NULL ? *sizep : 0;
@@ -1444,7 +1453,10 @@ sysctl_doproc(int *name, u_int namelen, 
dothreads = op & KERN_PROC_SHOW_THREADS;
op &= ~KERN_PROC_SHOW_THREADS;
 
-   show_pointers = suser(curproc, 0) == 0;
+   is_suser = suser(curproc, 0) == 0;
+   show_pointers = is_suser;
+   show_otheruids = seeotheruids || is_suser;
+   euid = curproc->p_ucred->cr_uid;
 
if (where != NULL)
kproc = malloc(sizeof(*kproc), M_TEMP, M_WAITOK);
@@ -1461,6 +1473,9 @@ again:
 * Skip embryonic processes.
 */
if (pr->ps_flags & PS_EMBRYO)
+   continue;
+
+   if (!show_otheruids && pr->ps_ucred->cr_uid != euid)
continue;
 
/*
Index: sys/sys/sysctl.h
===
RCS file: /cvs/src/sys/sys/sysctl.h,v
retrieving revision 1.170
diff -u -p -u -r1.170 sysctl.h
--- sys/sys/sysctl.h7 Nov 2016 00:26:32 -   1.170
+++ sys/sys/sysctl.h4 Dec 2016 20:43:55 -
@@ -184,7 +184,8 @@ struct ctlname {
 #defineKERN_GLOBAL_PTRACE  81  /* allow ptrace globally */
 #defineKERN_CONSBUFSIZE82  /* int: console message buffer 
size */
 #defineKERN_CONSBUF83  /* console message buffer */
-#defineKERN_MAXID  84  /* number of valid kern ids */
+#defineKERN_SEEOTHERUIDS   84  /* see other users' proceesses 
*/
+#defineKERN_MAXID  85  /* number of valid kern ids */
 
 #defineCTL_KERN_NAMES { \
{ 0, 0 }, \
@@ -269,6 +270,9 @@ struct ctlname {
{ "proc_nobroadcastkill", CTLTYPE_NODE }, \
{ "proc_vmmap", CTLTYPE_NODE }, \
{ "global_ptrace", CTLTYPE_INT }, \
+   { "gap", 0 }, \
+   { "gap", 0 }, \
+   { "see_other_uids", CTLTYPE_INT }, \
 }
 
 /*
Index: sbin/sysctl/sysctl.8
===
RCS file: /cvs/src/sbin/sysctl/sysctl.8,v
retrieving revision 1.208
diff -u -p -u -r1.208 sysctl.8
--- sbin/sysctl/sysctl.815 Oct 2016 14:43:53 -  1.208
+++ sbin/sysctl/sysctl.85 Dec 2016 02:04:52 -
@@ -194,6 +194,7 @@ and a few require a kernel compiled with
 .It kern.wxabort Ta integer Ta yes
 .It kern.consdev Ta string Ta no
 .It kern.global_ptrace Ta integer Ta yes
+.It kern.see_other_uids Ta integer Ta yes
 .It vm.vmmeter Ta struct Ta no
 .It vm.loadavg Ta struct Ta no
 .It vm.psstrings Ta struct Ta no



On Mon, Dec 05, 2016 at 08:55:19AM +0800, Michael W. Bombardieri wrote:
> Should this patch also add see_other_uids in sysctl(8) manual?
> 
> On Sun, Dec 04, 2016 at 07:49:12PM -0500, Ian Walker wrote:
> > (( Resending my last from a client that (hopefully) won't mangle the email.
> >Sorry about the noise, folks. ))
> > 
> > 
> > Hello OpenBSD Community -
> > 
> > OpenBSD should have the ability to prevent users from seeing each other's 
> > processes even if this ability is disabled by default. 
> > In addition to the small security benefit this provides, it also affords 
> > each user a much greater amount of privacy. Linux and 
> > FreeBSD already support similar features ( 
> > https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/  && 
> > https://www.cyberciti.biz/faq/freebsd-disable-ps-sockstat-command-information-leakage/
> >  ) and the implementation itself is fairly 
> > trivial.
> > 
> > Below is a patch which implements 

Re: KERNEL PATCH: add process hiding (fixed)

2016-12-04 Thread Michael W. Bombardieri
Should this patch also add see_other_uids in sysctl(8) manual?

On Sun, Dec 04, 2016 at 07:49:12PM -0500, Ian Walker wrote:
> (( Resending my last from a client that (hopefully) won't mangle the email.
>Sorry about the noise, folks. ))
> 
> 
> Hello OpenBSD Community -
> 
> OpenBSD should have the ability to prevent users from seeing each other's 
> processes even if this ability is disabled by default. 
> In addition to the small security benefit this provides, it also affords each 
> user a much greater amount of privacy. Linux and 
> FreeBSD already support similar features ( 
> https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/  && 
> https://www.cyberciti.biz/faq/freebsd-disable-ps-sockstat-command-information-leakage/
>  ) and the implementation itself is fairly 
> trivial.
> 
> Below is a patch which implements basic process hiding for non-superusers and 
> is activated with a sysctl knob. Similar to that of 
> FreeBSD it is called "kern.see_other_uids??. The idea is that if process 
> spying is a security or privacy concern for you, you 
> would add "kern.see_other_uids=0" to sysctl.conf and reboot (assuming 
> securelevel > 0).
> 
> I look forward to your comments.
> 
> Thanks and cheers all -
> Ian Walker
> 
> 
> 
> Index: sys/kern/kern_sysctl.c
> ===
> RCS file: /cvs/src/sys/kern/kern_sysctl.c,v
> retrieving revision 1.320
> diff -u -p -u -r1.320 kern_sysctl.c
> --- sys/kern/kern_sysctl.c11 Nov 2016 18:59:09 -1.320
> +++ sys/kern/kern_sysctl.c4 Dec 2016 20:43:53 -
> @@ -263,6 +263,7 @@ size_t disknameslen;
>  struct diskstats *diskstats = NULL;
>  size_t diskstatslen;
>  int securelevel;
> +int seeotheruids = 1; /* on by default */
>  
>  /*
>   * kernel related system variables.
> @@ -632,6 +633,13 @@ kern_sysctl(int *name, u_int namelen, vo
>  dnsjackport = port;
>  return 0;
>  }
> +case KERN_SEEOTHERUIDS: {
> +if (securelevel > 0)
> +return (sysctl_rdint(oldp, oldlenp, newp,
> +seeotheruids));
> +return (sysctl_int(oldp, oldlenp, newp, newlen,
> +));
> +}
>  default:
>  return (EOPNOTSUPP);
>  }
> @@ -1427,7 +1435,8 @@ sysctl_doproc(int *name, u_int namelen,
>  int arg, buflen, doingzomb, elem_size, elem_count;
>  int error, needed, op;
>  int dothreads = 0;
> -int show_pointers;
> +int is_suser, show_pointers, show_otheruids;
> +uid_t euid;
>  
>  dp = where;
>  buflen = where != NULL ? *sizep : 0;
> @@ -1444,7 +1453,10 @@ sysctl_doproc(int *name, u_int namelen,
>  dothreads = op & KERN_PROC_SHOW_THREADS;
>  op &= ~KERN_PROC_SHOW_THREADS;
>  
> -show_pointers = suser(curproc, 0) == 0;
> +is_suser = suser(curproc, 0) == 0;
> +show_pointers = is_suser;
> +show_otheruids = seeotheruids || is_suser;
> +euid = curproc->p_ucred->cr_uid;
>  
>  if (where != NULL)
>  kproc = malloc(sizeof(*kproc), M_TEMP, M_WAITOK);
> @@ -1461,6 +1473,9 @@ again:
>   * Skip embryonic processes.
>   */
>  if (pr->ps_flags & PS_EMBRYO)
> +continue;
> +
> +if (!show_otheruids && pr->ps_ucred->cr_uid != euid)
>  continue;
>  
>  /*
> Index: sys/sys/sysctl.h
> ===
> RCS file: /cvs/src/sys/sys/sysctl.h,v
> retrieving revision 1.170
> diff -u -p -u -r1.170 sysctl.h
> --- sys/sys/sysctl.h7 Nov 2016 00:26:32 -1.170
> +++ sys/sys/sysctl.h4 Dec 2016 20:43:55 -
> @@ -184,7 +184,8 @@ struct ctlname {
>  #defineKERN_GLOBAL_PTRACE81/* allow ptrace globally */
>  #defineKERN_CONSBUFSIZE82/* int: console message buffer size */
>  #defineKERN_CONSBUF83/* console message buffer */
> -#defineKERN_MAXID84/* number of valid kern ids */
> +#defineKERN_SEEOTHERUIDS84/* see other users' proceesses */
> +#defineKERN_MAXID85/* number of valid kern ids */
>  
>  #defineCTL_KERN_NAMES { \
>  { 0, 0 }, \
> @@ -269,6 +270,9 @@ struct ctlname {
>  { "proc_nobroadcastkill", CTLTYPE_NODE }, \
>  { "proc_vmmap", CTLTYPE_NODE }, \
>  { "global_ptrace", CTLTYPE_INT }, \
> +{ "gap", 0 }, \
> +{ "gap", 0 }, \
> +{ "see_other_uids", CTLTYPE_INT }, \
>  }
>  
>  /*
> 



Re: doas.conf(5): clarify args

2016-12-04 Thread Ted Unangst
Ingo Schwarze wrote:
> Hi,
> 
> Anton Lindqvist wrote on Fri, Dec 02, 2016 at 10:40:16AM +0100:
> 
> > Make it clear that args is a keyword followed by zero or more arguments.
> 
> Your argument makes sense to me, we generally don't use "..."
> to imply a preceding .Ar, but we use it to indicate that the
> preceding .Ar can be repeated.  So yes, this may be confusing.
> 
> > Unfortunately, the grammar format no longer fits on a single line even
> > with the offset removed.
> 
> That is ugly indeed and makes the overview line harder to read.
> 
> I think we can avoid the confusion by being more explicit in the
> description, but keep the overview concise.
> 
> Any OKs for the following version?

i guess. What does No do? I don't see any difference.

I definitely would prefer to avoid long strings of ]].



KERNEL PATCH: add process hiding (fixed)

2016-12-04 Thread Ian Walker
(( Resending my last from a client that (hopefully) won't mangle the email.
   Sorry about the noise, folks. ))


Hello OpenBSD Community -

OpenBSD should have the ability to prevent users from seeing each other's 
processes even if this ability is disabled by default. 
In addition to the small security benefit this provides, it also affords each 
user a much greater amount of privacy. Linux and 
FreeBSD already support similar features ( 
https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/  && 
https://www.cyberciti.biz/faq/freebsd-disable-ps-sockstat-command-information-leakage/
 ) and the implementation itself is fairly 
trivial.

Below is a patch which implements basic process hiding for non-superusers and 
is activated with a sysctl knob. Similar to that of 
FreeBSD it is called "kern.see_other_uids¨. The idea is that if process spying 
is a security or privacy concern for you, you 
would add "kern.see_other_uids=0" to sysctl.conf and reboot (assuming 
securelevel > 0).

I look forward to your comments.

Thanks and cheers all -
Ian Walker



Index: sys/kern/kern_sysctl.c
===
RCS file: /cvs/src/sys/kern/kern_sysctl.c,v
retrieving revision 1.320
diff -u -p -u -r1.320 kern_sysctl.c
--- sys/kern/kern_sysctl.c11 Nov 2016 18:59:09 -1.320
+++ sys/kern/kern_sysctl.c4 Dec 2016 20:43:53 -
@@ -263,6 +263,7 @@ size_t disknameslen;
 struct diskstats *diskstats = NULL;
 size_t diskstatslen;
 int securelevel;
+int seeotheruids = 1; /* on by default */
 
 /*
  * kernel related system variables.
@@ -632,6 +633,13 @@ kern_sysctl(int *name, u_int namelen, vo
 dnsjackport = port;
 return 0;
 }
+case KERN_SEEOTHERUIDS: {
+if (securelevel > 0)
+return (sysctl_rdint(oldp, oldlenp, newp,
+seeotheruids));
+return (sysctl_int(oldp, oldlenp, newp, newlen,
+));
+}
 default:
 return (EOPNOTSUPP);
 }
@@ -1427,7 +1435,8 @@ sysctl_doproc(int *name, u_int namelen,
 int arg, buflen, doingzomb, elem_size, elem_count;
 int error, needed, op;
 int dothreads = 0;
-int show_pointers;
+int is_suser, show_pointers, show_otheruids;
+uid_t euid;
 
 dp = where;
 buflen = where != NULL ? *sizep : 0;
@@ -1444,7 +1453,10 @@ sysctl_doproc(int *name, u_int namelen,
 dothreads = op & KERN_PROC_SHOW_THREADS;
 op &= ~KERN_PROC_SHOW_THREADS;
 
-show_pointers = suser(curproc, 0) == 0;
+is_suser = suser(curproc, 0) == 0;
+show_pointers = is_suser;
+show_otheruids = seeotheruids || is_suser;
+euid = curproc->p_ucred->cr_uid;
 
 if (where != NULL)
 kproc = malloc(sizeof(*kproc), M_TEMP, M_WAITOK);
@@ -1461,6 +1473,9 @@ again:
  * Skip embryonic processes.
  */
 if (pr->ps_flags & PS_EMBRYO)
+continue;
+
+if (!show_otheruids && pr->ps_ucred->cr_uid != euid)
 continue;
 
 /*
Index: sys/sys/sysctl.h
===
RCS file: /cvs/src/sys/sys/sysctl.h,v
retrieving revision 1.170
diff -u -p -u -r1.170 sysctl.h
--- sys/sys/sysctl.h7 Nov 2016 00:26:32 -1.170
+++ sys/sys/sysctl.h4 Dec 2016 20:43:55 -
@@ -184,7 +184,8 @@ struct ctlname {
 #defineKERN_GLOBAL_PTRACE81/* allow ptrace globally */
 #defineKERN_CONSBUFSIZE82/* int: console message buffer size */
 #defineKERN_CONSBUF83/* console message buffer */
-#defineKERN_MAXID84/* number of valid kern ids */
+#defineKERN_SEEOTHERUIDS84/* see other users' proceesses */
+#defineKERN_MAXID85/* number of valid kern ids */
 
 #defineCTL_KERN_NAMES { \
 { 0, 0 }, \
@@ -269,6 +270,9 @@ struct ctlname {
 { "proc_nobroadcastkill", CTLTYPE_NODE }, \
 { "proc_vmmap", CTLTYPE_NODE }, \
 { "global_ptrace", CTLTYPE_INT }, \
+{ "gap", 0 }, \
+{ "gap", 0 }, \
+{ "see_other_uids", CTLTYPE_INT }, \
 }
 
 /*



KERNEL PATCH: add process hiding

2016-12-04 Thread walker_643
Hello OpenBSD Community -

OpenBSD should have the ability to prevent users from seeing each other's 
processes even if this ability is disabled by default. In addition to the small 
security benefit this provides, it also affords each user a much greater amount 
of privacy. Linux and FreeBSD already support similar features ( 
https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/  && 
https://www.cyberciti.biz/faq/freebsd-disable-ps-sockstat-command-information-leakage/
 ) and the implementation itself is fairly trivial.
Below is a patch which implements basic process hiding for non-superusers and 
is activated with a sysctl knob. Similar to that of FreeBSD it is called 
"kern.see_other_uids¨. The idea is that if process spying is a security or 
privacy concern for you, you would add "kern.see_other_uids=0" to sysctl.conf 
and reboot (assuming securelevel > 0).
I look forward to your comments.

Thanks and cheers all -Ian Walker

Index: sys/kern/kern_sysctl.c
===
RCS file: /cvs/src/sys/kern/kern_sysctl.c,v
retrieving revision 1.320
diff -u -p -u -r1.320 kern_sysctl.c
--- sys/kern/kern_sysctl.c    11 Nov 2016 18:59:09 -    1.320
+++ sys/kern/kern_sysctl.c    4 Dec 2016 20:43:53 -
@@ -263,6 +263,7 @@ size_t disknameslen;
 struct diskstats *diskstats = NULL;
 size_t diskstatslen;
 int securelevel;
+int seeotheruids = 1; /* on by default */
 
 /*
  * kernel related system variables.
@@ -632,6 +633,13 @@ kern_sysctl(int *name, u_int namelen, vo
     dnsjackport = port;
     return 0;
 }
+    case KERN_SEEOTHERUIDS: {
+        if (securelevel > 0)
+            return (sysctl_rdint(oldp, oldlenp, newp,
+                seeotheruids));
+        return (sysctl_int(oldp, oldlenp, newp, newlen,
+            ));
+    }
 default:
     return (EOPNOTSUPP);
 }
@@ -1427,7 +1435,8 @@ sysctl_doproc(int *name, u_int namelen, 
 int arg, buflen, doingzomb, elem_size, elem_count;
 int error, needed, op;
 int dothreads = 0;
-    int show_pointers;
+    int is_suser, show_pointers, show_otheruids;
+    uid_t euid;
 
 dp = where;
 buflen = where != NULL ? *sizep : 0;
@@ -1444,7 +1453,10 @@ sysctl_doproc(int *name, u_int namelen, 
 dothreads = op & KERN_PROC_SHOW_THREADS;
 op &= ~KERN_PROC_SHOW_THREADS;
 
-    show_pointers = suser(curproc, 0) == 0;
+    is_suser = suser(curproc, 0) == 0;
+    show_pointers = is_suser;
+    show_otheruids = seeotheruids || is_suser;
+    euid = curproc->p_ucred->cr_uid;
 
 if (where != NULL)
     kproc = malloc(sizeof(*kproc), M_TEMP, M_WAITOK);
@@ -1461,6 +1473,9 @@ again:
      * Skip embryonic processes.
      */
     if (pr->ps_flags & PS_EMBRYO)
+            continue;
+
+        if (!show_otheruids && pr->ps_ucred->cr_uid != euid)
         continue;
 
     /*
Index: sys/sys/sysctl.h
===
RCS file: /cvs/src/sys/sys/sysctl.h,v
retrieving revision 1.170
diff -u -p -u -r1.170 sysctl.h
--- sys/sys/sysctl.h    7 Nov 2016 00:26:32 -    1.170
+++ sys/sys/sysctl.h    4 Dec 2016 20:43:55 -
@@ -184,7 +184,8 @@ struct ctlname {
 #define    KERN_GLOBAL_PTRACE    81    /* allow ptrace globally */
 #define    KERN_CONSBUFSIZE    82    /* int: console message buffer size */
 #define    KERN_CONSBUF        83    /* console message buffer */
-#define    KERN_MAXID        84    /* number of valid kern ids */
+#define    KERN_SEEOTHERUIDS    84    /* see other users' proceesses */
+#define    KERN_MAXID        85    /* number of valid kern ids */
 
 #define    CTL_KERN_NAMES { \
 { 0, 0 }, \
@@ -269,6 +270,9 @@ struct ctlname {
 { "proc_nobroadcastkill", CTLTYPE_NODE }, \
 { "proc_vmmap", CTLTYPE_NODE }, \
 { "global_ptrace", CTLTYPE_INT }, \
+    { "gap", 0 }, \
+    { "gap", 0 }, \
+    { "see_other_uids", CTLTYPE_INT }, \
 }
 
 /*