如何隐藏特定进程?

tag-icon tag-icon linux debian process
如何隐藏特定进程?

该命令hidepid用于防止用户看到全部不属于它们的进程,但它不提供选择特定进程的可能性。是否可以只隐藏Linux 机器上的进程?

答案1

有点脏,可能有一个更干净的解决方案(可能使用 SELinux 或 grsec),但是您可以通过在/proc/<pid>.

例如,这样的事情:

mount -o bind /empty/dir /proc/42

将阻止普通用户看到进程 42。

然而,他们会看到隐藏的东西,因为他们将能够看到安装点。

如果您想对某个服务执行此操作,则必须在每次启动时使用其初始化脚本或其他方式执行此操作。

如果您只想对特定用户隐藏 pid,您可以使用名称空间(可能使用pam_namespace)来仅在目标用户的名称空间中完成挂载绑定。

为了扭转这种情况,只需运行:

umount /proc/42

答案2

从内核 3.3 开始,它已经实现了一些功能来满足您的需求。

根据PROC(5):

hidepid=n (since Linux 3.3)
              This option controls who can access the information  in  /proc/[pid]  directories.
              The argument, n, is one of the following values:

              0   Everybody may access all /proc/[pid] directories.  This is the traditional be‐
                  havior, and the default if this mount option is not specified.

              1   Users may not access files and subdirectories inside any /proc/[pid]  directo‐
                  ries  but  their  own (the /proc/[pid] directories themselves remain visible).
                  Sensitive files such as /proc/[pid]/cmdline  and  /proc/[pid]/status  are  now
                  protected  against other users.  This makes it impossible to learn whether any
                  user is running a specific program (so long as the program  doesn't  otherwise
                  reveal itself by its behavior).

              2   As  for mode 1, but in addition the /proc/[pid] directories belonging to other
                  users become invisible.  This means that /proc/[pid] entries can no longer  be
                  used  to  discover  the PIDs on the system.  This doesn't hide the fact that a
                  process with a specific PID value exists (it can be learned  by  other  means,
                  for  example,  by "kill -0 $PID"), but it hides a process's UID and GID, which
                  could otherwise be learned by employing stat(2) on  a  /proc/[pid]  directory.
                  This  greatly  complicates  an  attacker's task of gathering information about
                  running processes (e.g., discovering whether some daemon is running with  ele‐
                  vated  privileges,  whether  another  user  is running some sensitive program,
                  whether other users are running any program at all, and so on).

       gid=gid (since Linux 3.3)
              Specifies the ID of a group whose members are authorized to learn process informa‐
              tion  otherwise  prohibited by hidepid (i.e., users in this group behave as though
              /proc was mounted with hidepid=0).  This group  should  be  used  instead  of  ap‐
              proaches such as putting nonroot users into the sudoers(5) file.

这很有用,因为您可以选择谁可以读取 /proc/PID。

因此,如果您想尝试它,请记住根据您的需要重新挂载 /proc:

--实际案例:

: su -
Password: 
root@foo:~# mount -o remount,hidepid=2 /proc
root@foo:~# exit
logout
:ps aux
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
tntx          709  0.0  0.1  33980  8012 tty2      S   18:12   0:00 irssi
tntx          746  0.0  0.0   8868  3880 tty1     S    18:13   0:00 -ksh93

所以现在我无法通过 PS(1) 或 lsof(8) 查看除我的进程之外的其他进程

相关内容