Re: patch: hide processes non owned by a user
On 01/27/2015 08:26 AM, Renaud Allard wrote: Hello, I wrote a patch which adds a new kernel sysctl (hideproc) to hide processes non owned by a user, except for root. This should be mostly useful on shell servers and on servers with chroots. I know some controversial patches have been presented in the past, but this one only does only one thing and should have a small enough impact. While writing it, I was using a snapshot of about 1 week old, and the patch didn't work for a reason I have not found. But it works fine on 5.6 (that's why this one applies to 5.6). So there might be or have been a regression somewhere. OK, it seems my patch was a little bit mangled for some reason. Here you can find the full patch (including man pages) which works against -current https://arnor.org/OpenBSD/hideproc.txt Index: lib/libc/gen/sysctl.3 === RCS file: /cvs/src/lib/libc/gen/sysctl.3,v retrieving revision 1.246 diff -u -p -u -r1.246 sysctl.3 --- lib/libc/gen/sysctl.3 22 Dec 2014 03:33:18 - 1.246 +++ lib/libc/gen/sysctl.3 27 Jan 2015 13:33:09 - @@ -466,6 +466,7 @@ information. .It Dv KERN_USERMOUNT Ta "integer" Ta "yes" .It Dv KERN_VERSION Ta "string" Ta "no" .It Dv KERN_WATCHDOG Ta "node" Ta "not applicable" +.It Dv KERN_HIDEPROC Ta "integer" Ta "yes" .El .Bl -tag -width "123456" .It Dv KERN_ARGMAX @@ -1071,6 +1072,9 @@ variable. .It Dv KERN_WATCHDOG_PERIOD The period of the watchdog timer in seconds. Set to 0 to disable the watchdog timer. +.It Dv KERN_HIDEPROC +If set to 1, the kernel will only list processes belonging to the user +making the call, except if the user is root. .El .El .Ss CTL_MACHDEP Index: sbin/sysctl/sysctl.8 === RCS file: /cvs/src/sbin/sysctl/sysctl.8,v retrieving revision 1.186 diff -u -p -u -r1.186 sysctl.8 --- sbin/sysctl/sysctl.812 Dec 2014 08:42:48 - 1.186 +++ sbin/sysctl/sysctl.827 Jan 2015 13:33:11 - @@ -197,6 +197,7 @@ and a few require a kernel compiled with .It kern.maxlocksperuid Ta integer Ta yes .It kern.bufcachepercent Ta integer Ta yes .It kern.consdev Ta string Ta no +.It kern.hideproc Ta integer Ta yes .It kern.global_ptrace Ta integer Ta yes .It vm.vmmeter Ta struct Ta no .It vm.loadavg Ta struct Ta no Index: sys/kern/kern_sysctl.c === RCS file: /cvs/src/sys/kern/kern_sysctl.c,v retrieving revision 1.279 diff -u -p -u -r1.279 kern_sysctl.c --- sys/kern/kern_sysctl.c 20 Jan 2015 19:43:21 - 1.279 +++ sys/kern/kern_sysctl.c 27 Jan 2015 13:33:11 - @@ -245,6 +245,7 @@ int hostnamelen; char domainname[MAXHOSTNAMELEN]; int domainnamelen; long hostid; +int hideproc; char *disknames = NULL; struct diskstats *diskstats = NULL; #ifdef INSECURE @@ -594,6 +595,8 @@ kern_sysctl(int *name, u_int namelen, vo return sysctl_rdstruct(oldp, oldlenp, newp, &dev, sizeof(dev)); case KERN_NETLIVELOCKS: return (sysctl_rdint(oldp, oldlenp, newp, net_livelocks)); + case KERN_HIDEPROC: + return(sysctl_int(oldp, oldlenp, newp, newlen, &hideproc)); case KERN_POOL_DEBUG: { int old_pool_debug = pool_debug; @@ -1372,6 +1375,17 @@ again: * Skip embryonic processes. */ if (pr->ps_flags & PS_EMBRYO) + continue; + + /* + * Only show user owned processes if hideproc flag is set + * or the last exec gave us setuid/setgid privs + * (unless you're root). + */ + + if ( hideproc > 0 && (pr != curproc->p_p && + (pr->ps_ucred->cr_ruid != curproc->p_ucred->cr_ruid || + (pr->ps_flags & PS_SUGID)) && suser(curproc, 0) != 0)) continue; /* Index: sys/sys/sysctl.h === RCS file: /cvs/src/sys/sys/sysctl.h,v retrieving revision 1.154 diff -u -p -u -r1.154 sysctl.h --- sys/sys/sysctl.h13 Jan 2015 10:07:58 - 1.154 +++ sys/sys/sysctl.h27 Jan 2015 13:33:11 - @@ -184,7 +184,8 @@ struct ctlname { #defineKERN_GLOBAL_PTRACE 81 /* allow ptrace globally */ #defineKERN_CONSBUFSIZE82 /* int: console message buffer size */ #defineKERN_CONSBUF83 /* console message buffer */ -#defineKERN_MAXID 84 /* number of valid kern ids */ +#define KERN_HIDEPROC 84 /* int: system hide other procs */ +#defineKERN_MAXID 85 /* number of valid kern ids */ #defineCTL_KERN_NAMES { \ { 0, 0 }, \ @@ -269,6 +270,9 @@ struct ctlname { { "proc_nobroadcastkill", CTLTYPE_NODE }, \ { "proc_vmmap", CTLTYPE_NOD
Re: patch: hide processes non owned by a user
On 01/27/2015 09:07 AM, STeve Andre' wrote: On 01/27/15 02:26, Renaud Allard wrote: Hello, I wrote a patch which adds a new kernel sysctl (hideproc) to hide processes non owned by a user, except for root. This should be mostly useful on shell servers and on servers with chroots. I know some controversial patches have been presented in the past, but this one only does only one thing and should have a small enough impact. While writing it, I was using a snapshot of about 1 week old, and the patch didn't work for a reason I have not found. But it works fine on 5.6 (that's why this one applies to 5.6). So there might be or have been a regression somewhere. This seems like another knob, to me. As someone who has helped administrate open access systems, I'm not sure this is useful. You forgot to include the man page additions, too. ;-) --STeve Andre' This is indeed a know, but it prevents leaking information about the processes running on the machine. Here is the man page diff: diff -aur oldsrc/lib/libc/gen/sysctl.3 src/lib/libc/gen/sysctl.3 --- oldsrc/lib/libc/gen/sysctl.3Sun Jul 13 19:47:03 2014 +++ src/lib/libc/gen/sysctl.3 Tue Jan 27 10:32:26 2015 @@ -468,6 +468,7 @@ .It Dv KERN_VERSION Ta "string" Ta "no" .It Dv KERN_VNODE Ta "struct e_vnode" Ta "no" .It Dv KERN_WATCHDOG Ta "node" Ta "not applicable" +.It Dv KERN_HIDEPROC Ta "integer" Ta "yes" .El .Bl -tag -width "123456" .It Dv KERN_ARGMAX @@ -1085,6 +1086,9 @@ .It Dv KERN_WATCHDOG_PERIOD The period of the watchdog timer in seconds. Set to 0 to disable the watchdog timer. +.It Dv KERN_HIDEPROC +If set to 1, the kernel will only list processes belonging to the user +making the call, except if the user is root. .El .El .Ss CTL_MACHDEP diff -aur oldsrc/sbin/sysctl/sysctl.8 src/sbin/sysctl/sysctl.8 --- oldsrc/sbin/sysctl/sysctl.8 Fri Jul 11 18:43:07 2014 +++ src/sbin/sysctl/sysctl.8Tue Jan 27 10:28:40 2015 @@ -200,6 +200,7 @@ .It kern.maxlocksperuid Ta integer Ta yes .It kern.bufcachepercent Ta integer Ta yes .It kern.consdev Ta string Ta no +.It kern.hideproc Ta string Ta yes .It vm.vmmeter Ta struct Ta no .It vm.loadavg Ta struct Ta no .It vm.psstrings Ta struct Ta no
Re: patch: hide processes non owned by a user
On 01/27/2015 09:07 AM, STeve Andre' wrote: On 01/27/15 02:26, Renaud Allard wrote: Hello, I wrote a patch which adds a new kernel sysctl (hideproc) to hide processes non owned by a user, except for root. This should be mostly useful on shell servers and on servers with chroots. I know some controversial patches have been presented in the past, but this one only does only one thing and should have a small enough impact. While writing it, I was using a snapshot of about 1 week old, and the patch didn't work for a reason I have not found. But it works fine on 5.6 (that's why this one applies to 5.6). So there might be or have been a regression somewhere. This seems like another knob, to me. As someone who has helped administrate open access systems, I'm not sure this is useful. You forgot to include the man page additions, too. ;-) --STeve Andre' This is indeed a know, but it prevents leaking information about the processes running on the machine. Here is the man page diff: diff -aur oldsrc/lib/libc/gen/sysctl.3 src/lib/libc/gen/sysctl.3 --- oldsrc/lib/libc/gen/sysctl.3Sun Jul 13 19:47:03 2014 +++ src/lib/libc/gen/sysctl.3 Tue Jan 27 10:32:26 2015 @@ -468,6 +468,7 @@ .It Dv KERN_VERSION Ta "string" Ta "no" .It Dv KERN_VNODE Ta "struct e_vnode" Ta "no" .It Dv KERN_WATCHDOG Ta "node" Ta "not applicable" +.It Dv KERN_HIDEPROC Ta "integer" Ta "yes" .El .Bl -tag -width "123456" .It Dv KERN_ARGMAX @@ -1085,6 +1086,9 @@ .It Dv KERN_WATCHDOG_PERIOD The period of the watchdog timer in seconds. Set to 0 to disable the watchdog timer. +.It Dv KERN_HIDEPROC +If set to 1, the kernel will only list processes belonging to the user +making the call, except if the user is root. .El .El .Ss CTL_MACHDEP diff -aur oldsrc/sbin/sysctl/sysctl.8 src/sbin/sysctl/sysctl.8 --- oldsrc/sbin/sysctl/sysctl.8 Fri Jul 11 18:43:07 2014 +++ src/sbin/sysctl/sysctl.8Tue Jan 27 10:28:40 2015 @@ -200,6 +200,7 @@ .It kern.maxlocksperuid Ta integer Ta yes .It kern.bufcachepercent Ta integer Ta yes .It kern.consdev Ta string Ta no +.It kern.hideproc Ta string Ta yes .It vm.vmmeter Ta struct Ta no .It vm.loadavg Ta struct Ta no .It vm.psstrings Ta struct Ta no smime.p7s Description: S/MIME Cryptographic Signature
Re: patch: hide processes non owned by a user
On 01/27/15 02:26, Renaud Allard wrote: Hello, I wrote a patch which adds a new kernel sysctl (hideproc) to hide processes non owned by a user, except for root. This should be mostly useful on shell servers and on servers with chroots. I know some controversial patches have been presented in the past, but this one only does only one thing and should have a small enough impact. While writing it, I was using a snapshot of about 1 week old, and the patch didn't work for a reason I have not found. But it works fine on 5.6 (that's why this one applies to 5.6). So there might be or have been a regression somewhere. This seems like another knob, to me. As someone who has helped administrate open access systems, I'm not sure this is useful. You forgot to include the man page additions, too. ;-) --STeve Andre'
patch: hide processes non owned by a user
Hello, I wrote a patch which adds a new kernel sysctl (hideproc) to hide processes non owned by a user, except for root. This should be mostly useful on shell servers and on servers with chroots. I know some controversial patches have been presented in the past, but this one only does only one thing and should have a small enough impact. While writing it, I was using a snapshot of about 1 week old, and the patch didn't work for a reason I have not found. But it works fine on 5.6 (that's why this one applies to 5.6). So there might be or have been a regression somewhere. diff -aur oldsys/kern/kern_sysctl.c sys/kern/kern_sysctl.c --- oldsys/kern/kern_sysctl.c Tue Jul 22 19:13:26 2014 +++ sys/kern/kern_sysctl.c Tue Jan 27 08:32:31 2015 @@ -38,7 +38,6 @@ /* * sysctl system call. */ - #include #include #include @@ -246,6 +245,7 @@ char domainname[MAXHOSTNAMELEN]; int domainnamelen; long hostid; +int hideproc; char *disknames = NULL; struct diskstats *diskstats = NULL; #ifdef INSECURE @@ -597,6 +597,8 @@ return sysctl_rdstruct(oldp, oldlenp, newp, &dev, sizeof(dev)); case KERN_NETLIVELOCKS: return (sysctl_rdint(oldp, oldlenp, newp, net_livelocks)); + case KERN_HIDEPROC: + return(sysctl_int(oldp, oldlenp, newp, newlen, &hideproc)); case KERN_POOL_DEBUG: { int old_pool_debug = pool_debug; @@ -1376,6 +1378,17 @@ * Skip embryonic processes. */ if (pr->ps_flags & PS_EMBRYO) + continue; + + /* + * Only show user owned processes if hideproc flag is set + * or the last exec gave us setuid/setgid privs + * (unless you're root). + */ + + if ( hideproc > 0 && (pr != curproc->p_p && + (pr->ps_ucred->cr_ruid != curproc->p_ucred->cr_ruid || + (pr->ps_flags & PS_SUGID)) && suser(curproc, 0) != 0)) continue; /* --- oldsys/sys/sysctl.h Sun Jul 13 18:41:22 2014 +++ sys/sys/sysctl.hTue Jan 27 08:38:31 2015 @@ -180,7 +180,8 @@ #defineKERN_POOL_DEBUG 77 /* int: enable pool_debug */ #defineKERN_PROC_CWD 78 /* node: proc cwd */ #defineKERN_PROC_NOBROADCASTKILL 79/* node: proc no broadcast kill */ -#defineKERN_MAXID 80 /* number of valid kern ids */ +#define KERN_HIDEPROC 80 /* int: system hide other procs */ +#defineKERN_MAXID 81 /* number of valid kern ids */ #defineCTL_KERN_NAMES { \ { 0, 0 }, \ @@ -263,6 +264,7 @@ { "pool_debug", CTLTYPE_INT }, \ { "proc_cwd", CTLTYPE_NODE }, \ { "proc_nobroadcastkill", CTLTYPE_NODE }, \ + { "hideproc", CTLTYPE_INT }, \ } /* smime.p7s Description: S/MIME Cryptographic Signature