Saturday, December 24, 2005

Restricting process information

In our shared hosting environment we can see all the processes on the box. User Joe should have little or no insight as to what user Bob is doing, unless he needs to. This is a small blurb on how to restrict the process information, and make it a bit harder for a user to figure out what other users are doing on a system. We will cover BSD, Linux and our newest addition to the mix Solaris 10.

Linux - On the linux platform I have yet to find a distro that lets me do this out of the box. If you know of one let me know! The best thing I have found is OWL (openwall Linux) but its still not exactly what I want. Check it out here I’m not sure if you can do this with DAC policy’s (discretionary access control) yet on Linux, but you might.

BSD - I am a big open/freebsd/BSDi fan. FreeBSD did it pretty good job at restricting process information. The introduced a kernel variable ps_showallprocs. You can set this from your sysctrl.conf file with the following:

sysctl kern.ps_showallprocs=0

This does a great job for those basic users at restricting the ps out. The slightly more advanced unix guru knows you can also get process information from /proc (procfs). To address this issue you can now disable procfs. Be warned that some programs require procfs access such as truss, w etc. I usually set this on our production systems since we try to debug issues offline as much as we can.

Solaris 10 – The guys at sun really did some good with solaris 10 and I could talk about it all day as far as security. At the same time its about time they started to come on board.

Solaris 10 provides us with a security policy we can set. Its controlled by /etc/security/policy.conf.

The ppriv option we are looking to use is proc_info. For those of you not familiar with ppriv feel free to play with it but here is a description of proc_info:

poseidon@megatron# ppriv -l -v proc_info proc_info
Allows a process to examine the status of processes other than those it can send signals to.
Processes which cannot be examined cannot be seen in /proc and appear not to exist.

Lets modify the /etc/security/policy.conf file to not allow proc_info for default users:

We have not globally restricted ps information to all users. Sun also knows that /proc can be used to obtain process information and restricted its output to match the policy. These guys really did it right.

I have a few cron jobs that do need access to the process info for all users so how can give them that access?

Easily, for users that need access we can create a policy for them and apply it to a specific class of users with user_attr(4) file. I’ll let you do the man since you probably have all this free time being the holidays.

Something to the effect of the following just to change the defaultpriv:

Again when you do this things like truss, pfiles, ptree are not going to work.

Something else to consider is creating jails for all of your users. You can give them each a small piece of the world to do whatever they want in. Most os’s will support this now, it’s a bit to configure but once you get it done you can automate it fairly easily. The users in the jail shouldn’t see a difference.

Read more!

Last posts