Is it possible to disable the /proc pseudo-filesystem to prevent w, ps, top, etc, from showing what other users are doing? Of course, I still want "everything else" to work correctly. Is there a workable way to do this?
Asked
Active
Viewed 2,092 times
3
Gilles 'SO- stop being evil'
- 829,060
Fixee
- 1,911
- 3
- 18
- 25
2 Answers
8
There is the grsecurity patchset (included in SELinux, but doesn't have the latter's horribly complicated MAC permission system) for the Linux kernel which offers the option of allowing only the owner (and root) to see his/her processes. It also offers other goodies without being as intrusive as SELinux.
A similar option is there on Solaris, or so I heard.
Maja Piechotka
- 16,676
-
1For Solaris, see How to Limit Display of Other User's Processes to configure which users can see what other users are doing. – alanc May 05 '13 at 04:10
5
If you disable /proc, a lot of things will stop working. Not only will you not be able to use ps and company, even to see your own processes, but a lot of tools and services will not be able to run. Looking at the computer I'm writing this on, processes that have a file under /proc open include mdadm (RAID), Xorg (GUI), hald (hotpluggable devices), acpid (ACPI), rpc.mount (NFS server).
It might be workable to give /proc permissions 550 (i.e. non-world-readable), group proc-readers, and put all the services that use /proc but aren't running as root in the proc-readers group. I've never tried; this is an experiment proposal, not something to do on a production machine.
Use SELinux or virtualization to further isolate users.
Gilles 'SO- stop being evil'
- 829,060