How to make a process invisible to other users?

Question

How could you launch a process and make it invisible to the top command? The process is started by a normal user (not root), and should not be visible to other normal users.

Answer 1

Linux kernel since 3.3 contains support for hiding processes to other users.

It is done by hidepid= and gid= mount options for /proc as described in the corresponding commit and Documentation/filesystems/proc.txt.

Debian Wheezy also includes this feature.

Answer 2

The top command reads the data from proc, which is provided directly from the kernel. In order to hide processes, you'd have to use code inside the kernel to do the masking.

Aside from using a security framework like SELinux and grsecurity (mentioned in the other answers), rootkit-style code is your only remaining option. I say "style" because a "rootkit" by itself isn't bad, it's how it's used. There are perfectly legitimate reasons behind hiding processes from other users, which is why this capability exists in security frameworks.

The basic route you'd have to follow to get this to work is to hook into (or hijack, depending on how you look at it) the function(s) in the linux kernel that hand out the /proc/pid/ data. I demonstrate one method of hooking into linux kernel functions in a security module I wrote:

https://github.com/cormander/tpe-lkm

The "high level" code for this is in the hijack_syscalls() method in security.c, and the devil-in-the-details magic behind it is in the hijacks.c file.

You'll likely find the function(s) you'll want to hook into in the fs/proc/ directory of the source code of the linux kernel. Keep in mind that linux does not provide a stable ABI, so your code will need to change somewhat in order to get it working in different versions of the linux kernel. Also, keep in mind that you need full root access to the machine to be able to insert this code.

UPDATE:

If you wrap the pid_getattr kernel symbol with some additional code to it's real easy to do this. I recently added something that hides processes to the above kernel module:

https://github.com/cormander/tpe-lkm/commit/899bd5d74764af343d5fee1d8058756ddc63bfe3

You could do something similar by making the processes of a certain user or group not viewable by anyone except root and that user. Doing it by process name is a bit more complex, but possible. Have a look at the exe_from_mm() function. Note that there may be performance implications of using it inside of pid_getattr.

Answer 3

It seems the two main options.

• Selinux works by putting different people into different security domains and in a sense sand-boxing them so they can't see each-others stuff. This is covered in this question. Since selinux is quickly becoming the de-facto security framework in the Linux world this is probably the direction you should look.

• The other is grsecurity as mentioned by marioosh and as asked in this question. Some distros have alternative kernel packages with grsecurity patches applied. If yours has this you might look into using them.

If for some reason you want to do this without the addition of a security framework like selinux or grsecurity, please explain how what you are doing is not writing a root-kit.

Answer 4

It is not so simple on standard linux box. Look at the grsecurity, but it requires patching kernel etc.

Answer 5

you could override your argv[0] with another name... but strictely speaking, you're looking for some kind of rootkit. this may help you out: http://stupefydeveloper.blogspot.com/2008/10/linux-change-process-name.html

Answer 6

You could write an equivalent command that works just like top, but doesn't display processes matching a specific name. Alternatively you can get the source code of the top command and modify it accordingly. You can then replace the top command in /usr/sbin (or wherever it is) with your version.