tag:blogger.com,1999:blog-5048890463514304208.post626346677828878338..comments2021-06-03T09:01:51.590+02:00Comments on Philipp Kern's Debian blog: Lazyweb question: How to avoid leaking process info?Philipp Kernhttp://www.blogger.com/profile/12612857680528965620noreply@blogger.comBlogger11125tag:blogger.com,1999:blog-5048890463514304208.post-2578926229900758562012-06-12T11:11:38.661+02:002012-06-12T11:11:38.661+02:00Apparently someone did and it just got uploaded to...Apparently someone did and it just got uploaded to sid.Philipp Kernhttps://www.blogger.com/profile/12612857680528965620noreply@blogger.comtag:blogger.com,1999:blog-5048890463514304208.post-44631234983585603222012-05-20T15:44:35.748+02:002012-05-20T15:44:35.748+02:00So are you (or anyone) going to test the result of...So are you (or anyone) going to test the result of cherry-picking the commits listed in http://bugs.debian.org/669028 into the Debian kernel package?<br /><br />Instructions for rebuilding:<br />http://kernel-handbook.alioth.debian.org/ch-common-tasks.html#s-common-officialUnknownhttps://www.blogger.com/profile/16264109110946823556noreply@blogger.comtag:blogger.com,1999:blog-5048890463514304208.post-87418608620633245852012-05-18T11:12:47.132+02:002012-05-18T11:12:47.132+02:00For the benefit of readers making their own kernel...For the benefit of readers making their own kernels: You also need this patch<br /><br />https://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=commit;h=a2ef990ab5a6705a356d146dd773a3b359787497Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5048890463514304208.post-85450228191246561612012-05-17T22:19:12.785+02:002012-05-17T22:19:12.785+02:00You can also pass a gid=NNN option, which will lim...You can also pass a gid=NNN option, which will limit /proc to that group ID. Probably safer than chmod.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5048890463514304208.post-56474193704139738452012-05-17T22:17:14.380+02:002012-05-17T22:17:14.380+02:00~$ ls -ld /proc
dr-xr-xr-x 144 root root 0 May 14 ...~$ ls -ld /proc<br />dr-xr-xr-x 144 root root 0 May 14 21:33 /proc<br />~$ sudo chmod 0500 /proc<br />~$ ls -ld /proc<br />dr-x------ 145 root root 0 May 14 21:33 /proc<br />~$ ps auxf<br />Cannot find /proc/version - is /proc mounted?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5048890463514304208.post-35514092277154393702012-05-17T21:20:38.259+02:002012-05-17T21:20:38.259+02:00OpenVZ? Squeeze has an -openvz kernel flavour but...OpenVZ? Squeeze has an -openvz kernel flavour but unfortunately Wheezy's kernel won't have it.<br /><br />Each container gets its own process namespace, with a fully isolated /proc and /sys (and virtual network interfaces, and a filesystem which is chrooted in some dir on the host system). Only the host is able to see all processes. Ability to limit resources like memory, sockets, inodes and/or filesystem quota per container might be a bonus.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5048890463514304208.post-63693192872430918592012-05-17T19:56:29.635+02:002012-05-17T19:56:29.635+02:00You cna use the hidepid mount option for the /proc...You cna use the hidepid mount option for the /proc filesystem. Quoting http://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=blob;f=Documentation/filesystems/proc.txt , §4.1 "Mount options":<br /><br />hidepid=2 means hidepid=1 plus all /proc// will be fully invisible to other users. It doesn't mean that it hides a fact whether a process with a specific pid value exists (it can be learned by other means, e.g. by "kill -0 $PID"), but it hides process' uid and gid, which may be learned by stat()'ing /proc// otherwise. It greatly complicates an intruder's task of gathering information about running processes, whether some daemon runs with elevated privileges, whether other user runs some sensitive program, whether other users run any program at all, etc.Emanuele Ainahttp://nerd.ocracy.org/em/noreply@blogger.comtag:blogger.com,1999:blog-5048890463514304208.post-38553343941288312172012-05-17T19:26:19.600+02:002012-05-17T19:26:19.600+02:00Inspired by setuid-sandbox (which you might wanna ...Inspired by setuid-sandbox (which you might wanna look at): There's a flag to the clone() syscall to make the child go in new PID-namespace. I don't think it requires any caps. So make a small wrapper-shell that executes the user's shell this way.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5048890463514304208.post-54631028886767441772012-05-17T18:57:58.728+02:002012-05-17T18:57:58.728+02:00See http://unix.stackexchange.com/a/34224/15241 a...See http://unix.stackexchange.com/a/34224/15241 and other answers there.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5048890463514304208.post-91804054780623585952012-05-17T18:45:35.359+02:002012-05-17T18:45:35.359+02:00Does that really work? According to this LWN artic...Does that really work? According to <a href="http://lwn.net/SubscriberLink/497106/40c80649337fbb4f/" rel="nofollow">this LWN article</a> it's not part of the VFS layer to mount filesystems with overriding uid/gid/mode settings. I know that NTFS and vfat support it, but a trivial experiment doesn't work for me for /proc. Does it work for you?Philipp Kernhttps://www.blogger.com/profile/12612857680528965620noreply@blogger.comtag:blogger.com,1999:blog-5048890463514304208.post-16730333105650168742012-05-17T18:28:40.938+02:002012-05-17T18:28:40.938+02:00If you don't mind users not seeing their own p...If you don't mind users not seeing their own processes either, you could mount /proc with root-only permissions (0500) or with permissions only for a trusted group (0550 root:adm or similar).Anonymousnoreply@blogger.com