[Gllug] Restricting Process Visibility

Daniel P. Berrange dan at berrange.com
Wed May 17 14:14:48 UTC 2006 

On Wed, May 17, 2006 at 02:50:41PM +0100, Steve Nelson wrote:
> I have a number of app servers which will be running a custom
> application inside weblogic.  Originally, the architecture was
> desigend around one client using the platform.  This has changed, and
> now multiple independent clients will be sharing the platform.
> 
> I've been tasked to ensure this happens in the most secure way possible.
> 
> I've made good progress with imposing limits using pam, and chrooting
> the users, and giving them limited power via sudo and wrapper scripts.
> 
> However, I have also been asked to restrict visibility of processes
> between users, and am not sure how best to do this, or even the extent
> to which this is possible.  For example, users should not be able to
> extract process information belonging to anyone other than themselves,
> either from userland tools, or from /proc.
> 
> Quite aside from the demerits of secuirty by obscurity, my initial
> response has been to say the whole site needs to be redesigned around
> a virtualisation technology, but this has been rejected.
> 
> My restrictions are RHEL 3 and 2.4 kernel.
> 
> Other than horrid hacks like aliasing ps to something that shows only
> the user's processes, can anyone suggest a way to accomplish this?

Yes, it is basically impossible. At very best you can 'obscure' other user's
processes by wrapping 'ps' & other similar commands, but any mildly clueful 
person could see all they want from /proc. There is no way to remove /proc
without breaking a boatload of tools.

As you say this kind of thing you'd need some form of virtualization, or 
a Solaris Zones equivalent - I can't remmber the name of the Linux equiv,
but its pretty damn far from being accepted in upstream kernel, so you're
out of luck there too :-(

Dan.
-- 
|=-            GPG key: http://www.berrange.com/~dan/gpgkey.txt       -=|
|=-       Perl modules: http://search.cpan.org/~danberr/              -=|
|=-           Projects: http://freshmeat.net/~danielpb/               -=|
|=-   berrange at redhat.com  -  Daniel Berrange  -  dan at berrange.com    -=|
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: Digital signature
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20060517/30672f52/attachment.pgp>
-------------- next part --------------
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list