9

Is it possible to configure process hiding for certain user groups under a linux system?

For example: Users from group X should not see processes owned by users from group Y in ps/top or under /proc.

Is it possible to configure such a setup with SELinux?

(I vaguely remember a similar feature in the funny grsecurity patch set - but IIRC, it was more generic - and besides, I want to configure a stock linux distro without having to maintain a custom kernel.)

Edit: For better illustration, Solaris 10 has a similar feature. The example is not that generic, but one can configure that a user or some users can only see information of their own processes in ps etc.

alanc
  • 2,996
  • 16
  • 27
maxschlepzig
  • 56,316
  • 50
  • 205
  • 279
  • 1
    I don't know but the best source of SELinux info is probably the book (amazon link) [SELinux by Example: Using Security Enhanced Linux](http://www.amazon.com/gp/product/0131963694?ie=UTF8&tag=xenotsblog-20&linkCode=as2&camp=1789&creative=390957&creativeASIN=0131963694) – xenoterracide Aug 27 '10 at 21:19
  • Grsecurity does this for single users except root. – stribika Mar 04 '11 at 22:29
  • Similar question with more answers: http://unix.stackexchange.com/questions/17164/how-to-make-a-process-invisible-to-other-users/34224#34224 – jofel Mar 15 '12 at 09:34

2 Answers2

4

Actually, SELinux seems to allow such configurations:

From the first Howto:

This time, you will see all processes on the system regardless of the domain they are in. When in sysadm_t domain, you have access to other domains which the user_t domain does not.

From the second Howto:

The third line allows staff_t to run ps and see processes in the unprivileged user domains. staff_t is able to run ps and see everything in user_t and other user domains if any, whereas user_t can not.

maxschlepzig
  • 56,316
  • 50
  • 205
  • 279
-1

Without a rootkit, or without hacking the kernel to specifically allow that behavior, there are not any pre-packaged options.

If these are processes launched from code you have access to then you may be able to recompile it while altering the argv[0] argument passed into the program. This could effectively change the name to something benign and thus "hide" it from anyone checking top or ps, etc.

Shamster
  • 232
  • 1
  • 2