Patch: Hide process info from other users/users not in my group

To: debian-kernel@lists.debian.org
Subject: Patch: Hide process info from other users/users not in my group
From: Daniel Reichelt <nl@itamservices.de>
Date: Thu, 22 Nov 2007 19:44:56 +0100
Message-id: <[🔎] 4745CE28.9090407@itamservices.de>

Hi,

this patch provides three new kernel options and restricts the access modes of
/proc/<pid>-dirs either to 550 or 500 in order to provide some privacy to
users. Tools like lsof and ps to spy out on other users become
ineffective. The options are added at File system drivers -> Pseudo Filesystems
-> proc. Maybe somebody's interested.

cu,

Daniel

--- linux-2.6.23.8/fs/Kconfig   2007-11-16 19:14:27.000000000 +0100
+++ linux-2.6.23.8-dhr/fs/Kconfig       2007-11-20 19:54:54.000000000 +0100
@@ -918,6 +918,36 @@
         help
         Exports the dump image of crashed kernel in ELF format.

+choice
+       prompt "Restrict access to /proc/<pid>-dirs"
+       default PROC_PIDDIRS_UNRESTRICTED
+config PROC_PIDDIRS_UNRESTRICTED
+       bool "no restriction"
+       depends on PROC_FS
+       help
+         Don't restrict access to /proc/<pid>-dirs, i.e. leave mode at 555
+         respectively r-xr-xr-x . This is the traditional mode of operation.
+
+         If unsure, say Y.
+config PROC_PIDDIRS_RESTRICT_TO_UG
+       bool "restrict to user and group
+       depends on PROC_FS
+       help
+         Restrict access to /proc/<pid>-dirs to user and group, i.e. set mode
+         to 550 respectively r-xr-x--- .
+
+         If unsure, say N.
+
+config PROC_PIDDIRS_RESTRICT_TO_U
+       bool "restrict to user
+       depends on PROC_FS
+       help
+         Restrict access to /proc/<pid>-dirs to user only, i.e. set mode to
+         500 respectively r-x------ .
+
+         If unsure, say N.
+endchoice
+
 config PROC_SYSCTL
        bool "Sysctl support (/proc/sys)" if EMBEDDED
        depends on PROC_FS
--- linux-2.6.23.8/fs/proc/base.c       2007-11-16 19:14:27.000000000 +0100
+++ linux-2.6.23.8-dhr/fs/proc/base.c   2007-11-21 10:44:17.000000000 +0100
@@ -2200,7 +2200,13 @@
        if (!inode)
                goto out;

+#if defined CONFIG_PROC_PIDDIRS_UNRESTRICTED
        inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
+#elif defined CONFIG_PROC_PIDDIRS_RESTRICT_TO_UG
+       inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
+#elif defined CONFIG_PROC_PIDDIRS_RESTRICT_TO_U
+       inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
+#endif
        inode->i_op = &proc_tgid_base_inode_operations;
        inode->i_fop = &proc_tgid_base_operations;
        inode->i_flags|=S_IMMUTABLE;

Reply to:

Follow-Ups:
- Re: Patch: Hide process info from other users/users not in my group
  - From: dann frazier <dannf@dannf.org>

Prev by Date: Bug#452069: nfs-kernel-server: broken NFS server on Thecus N2100
Next by Date: Bug#452429: linux-image-2.6.22-3-amd64: Oops in udf_statfs
Previous by thread: Bug#452069: nfs-kernel-server: broken NFS server on Thecus N2100
Next by thread: Re: Patch: Hide process info from other users/users not in my group
Index(es):
- Date
- Thread