How to deny other people to see my running details after âÂÂtopâ command and press key âÂÂcâÂÂ
Clash Royale CLAN TAG#URR8PPP
up vote
1
down vote
favorite
In my school, we share one server to run programs.
Using top
we can see the situation of the server, if press key c, we even can see the command details, somehow including my lab data information.
So how can I deny other people to see my running details even after using c? Can it only show the name of the process, java or awk, but hide the details.
linux process top access-control
add a comment |Â
up vote
1
down vote
favorite
In my school, we share one server to run programs.
Using top
we can see the situation of the server, if press key c, we even can see the command details, somehow including my lab data information.
So how can I deny other people to see my running details even after using c? Can it only show the name of the process, java or awk, but hide the details.
linux process top access-control
add a comment |Â
up vote
1
down vote
favorite
up vote
1
down vote
favorite
In my school, we share one server to run programs.
Using top
we can see the situation of the server, if press key c, we even can see the command details, somehow including my lab data information.
So how can I deny other people to see my running details even after using c? Can it only show the name of the process, java or awk, but hide the details.
linux process top access-control
In my school, we share one server to run programs.
Using top
we can see the situation of the server, if press key c, we even can see the command details, somehow including my lab data information.
So how can I deny other people to see my running details even after using c? Can it only show the name of the process, java or awk, but hide the details.
linux process top access-control
edited Jul 16 at 3:50
slmâ¦
233k65479651
233k65479651
asked Jul 12 at 1:35
Grace_G
82
82
add a comment |Â
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
2
down vote
accepted
Hiding your user info
So with top
its default behavior is to show all the processes on the box and you can't really deny other users from seeing these details. Methods for doing this are discussed in this U&L Q&A titled:
- How to make a process invisible to other users?
- Hiding Linux Processes For Fun And Profit
- Is it possible to 'hide' a process from the listing of
ps
ortop
on Linux
The 3rd link shows an interesting method which is a kernel patch that added an option called hidepid
to mount
in Linux kernels 3.3+:
$ mount /proc -o remount,hidepid=2
hidepid=0 (default) means the old behavior - anybody may read all world-readable /proc/PID/* files.
hidepid=1 means users may not access any /proc// directories, but their own. Sensitive files like cmdline, sched*, status are now protected against other users. As permission checking done in proc_pid_permission() and files' permissions are left untouched, programs expecting specific files' modes are not confused.
hidepid=2 means hidepid=1 plus all /proc/PID/ will be invisible to other users. It doesn't mean that it hides whether a process exists (it can be learned by other means, e.g. by kill -0 $PID), but it hides process' euid and egid. It compicates intruder's task of gathering info about running processes, whether some daemon runs with elevated privileges, whether another user runs some sensitive program, whether other users run any program at all, etc.
gid=XXX defines a group that will be able to gather all processes' info (as in hidepid=0 mode). This group should be used instead of putting nonroot user in sudoers file or something. However, untrusted users (like daemons, etc.) which are not supposed to monitor the tasks in the whole system should not be added to the group.
NOTE: This doesn't give you any ability to control visibility, only restrict users to see their details under
/proc
.
Hiding other user's info
If you want to hide other users when you're using top
you can do that like this:
$ top -u '!root'
...
top - 00:04:16 up 2 days, 1:51, 1 user, load average: 0.00, 0.01, 0.05
Tasks: 80 total, 1 running, 79 sleeping, 0 stopped, 0 zombie
%Cpu(s): 0.0 us, 0.3 sy, 0.0 ni, 99.7 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st
KiB Mem : 1016156 total, 204212 free, 80104 used, 731840 buff/cache
KiB Swap: 2097148 total, 2097148 free, 0 used. 755224 avail Mem
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
597 dbus 20 0 26668 1924 1364 S 0.0 0.2 0:08.55 dbus-daemon
633 polkitd 20 0 536264 10216 4796 S 0.0 1.0 0:00.35 polkitd
634 libstor+ 20 0 8576 816 668 S 0.0 0.1 0:00.49 lsmd
1305 postfix 20 0 91956 4292 3232 S 0.0 0.4 0:00.09 qmgr
4199 vagrant 20 0 152392 3020 1424 S 0.0 0.3 0:01.53 sshd
4200 vagrant 20 0 116196 2928 1796 S 0.0 0.3 0:00.05 bash
5622 postfix 20 0 91776 4044 3028 S 0.0 0.4 0:00.00 pickup
5672 user1 20 0 116096 2864 1808 S 0.0 0.3 0:00.04 bash
5758 user1 20 0 157624 2136 1544 R 0.0 0.2 0:00.00 top
The notation, '!root'
means to not show the root user.
1
hidepid would be a patch on the date of that link, but nowadays is part of the kernel I think. Been using it with a vanilla kernel for a couple of years in Debian now. See unix.stackexchange.com/questions/244353/⦠Beware some daemons/services or their scripts need to see other users, from the top of my head MySQL or/and BIND.
â Rui F Ribeiro
Jul 12 at 7:38
@RuiFRibeiro - agreed, it would be mainline at this point, not something that you'd have to roll yourself. I think I said that too loosely, I used the word adds instead of added - edited.
â slmâ¦
Jul 12 at 11:33
1
@RuiFRibeiro - this link even states that it's mainline - linux-audit.com/linux-system-hardening-adding-hidepid-to-proc.
â slmâ¦
Jul 12 at 11:35
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
2
down vote
accepted
Hiding your user info
So with top
its default behavior is to show all the processes on the box and you can't really deny other users from seeing these details. Methods for doing this are discussed in this U&L Q&A titled:
- How to make a process invisible to other users?
- Hiding Linux Processes For Fun And Profit
- Is it possible to 'hide' a process from the listing of
ps
ortop
on Linux
The 3rd link shows an interesting method which is a kernel patch that added an option called hidepid
to mount
in Linux kernels 3.3+:
$ mount /proc -o remount,hidepid=2
hidepid=0 (default) means the old behavior - anybody may read all world-readable /proc/PID/* files.
hidepid=1 means users may not access any /proc// directories, but their own. Sensitive files like cmdline, sched*, status are now protected against other users. As permission checking done in proc_pid_permission() and files' permissions are left untouched, programs expecting specific files' modes are not confused.
hidepid=2 means hidepid=1 plus all /proc/PID/ will be invisible to other users. It doesn't mean that it hides whether a process exists (it can be learned by other means, e.g. by kill -0 $PID), but it hides process' euid and egid. It compicates intruder's task of gathering info about running processes, whether some daemon runs with elevated privileges, whether another user runs some sensitive program, whether other users run any program at all, etc.
gid=XXX defines a group that will be able to gather all processes' info (as in hidepid=0 mode). This group should be used instead of putting nonroot user in sudoers file or something. However, untrusted users (like daemons, etc.) which are not supposed to monitor the tasks in the whole system should not be added to the group.
NOTE: This doesn't give you any ability to control visibility, only restrict users to see their details under
/proc
.
Hiding other user's info
If you want to hide other users when you're using top
you can do that like this:
$ top -u '!root'
...
top - 00:04:16 up 2 days, 1:51, 1 user, load average: 0.00, 0.01, 0.05
Tasks: 80 total, 1 running, 79 sleeping, 0 stopped, 0 zombie
%Cpu(s): 0.0 us, 0.3 sy, 0.0 ni, 99.7 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st
KiB Mem : 1016156 total, 204212 free, 80104 used, 731840 buff/cache
KiB Swap: 2097148 total, 2097148 free, 0 used. 755224 avail Mem
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
597 dbus 20 0 26668 1924 1364 S 0.0 0.2 0:08.55 dbus-daemon
633 polkitd 20 0 536264 10216 4796 S 0.0 1.0 0:00.35 polkitd
634 libstor+ 20 0 8576 816 668 S 0.0 0.1 0:00.49 lsmd
1305 postfix 20 0 91956 4292 3232 S 0.0 0.4 0:00.09 qmgr
4199 vagrant 20 0 152392 3020 1424 S 0.0 0.3 0:01.53 sshd
4200 vagrant 20 0 116196 2928 1796 S 0.0 0.3 0:00.05 bash
5622 postfix 20 0 91776 4044 3028 S 0.0 0.4 0:00.00 pickup
5672 user1 20 0 116096 2864 1808 S 0.0 0.3 0:00.04 bash
5758 user1 20 0 157624 2136 1544 R 0.0 0.2 0:00.00 top
The notation, '!root'
means to not show the root user.
1
hidepid would be a patch on the date of that link, but nowadays is part of the kernel I think. Been using it with a vanilla kernel for a couple of years in Debian now. See unix.stackexchange.com/questions/244353/⦠Beware some daemons/services or their scripts need to see other users, from the top of my head MySQL or/and BIND.
â Rui F Ribeiro
Jul 12 at 7:38
@RuiFRibeiro - agreed, it would be mainline at this point, not something that you'd have to roll yourself. I think I said that too loosely, I used the word adds instead of added - edited.
â slmâ¦
Jul 12 at 11:33
1
@RuiFRibeiro - this link even states that it's mainline - linux-audit.com/linux-system-hardening-adding-hidepid-to-proc.
â slmâ¦
Jul 12 at 11:35
add a comment |Â
up vote
2
down vote
accepted
Hiding your user info
So with top
its default behavior is to show all the processes on the box and you can't really deny other users from seeing these details. Methods for doing this are discussed in this U&L Q&A titled:
- How to make a process invisible to other users?
- Hiding Linux Processes For Fun And Profit
- Is it possible to 'hide' a process from the listing of
ps
ortop
on Linux
The 3rd link shows an interesting method which is a kernel patch that added an option called hidepid
to mount
in Linux kernels 3.3+:
$ mount /proc -o remount,hidepid=2
hidepid=0 (default) means the old behavior - anybody may read all world-readable /proc/PID/* files.
hidepid=1 means users may not access any /proc// directories, but their own. Sensitive files like cmdline, sched*, status are now protected against other users. As permission checking done in proc_pid_permission() and files' permissions are left untouched, programs expecting specific files' modes are not confused.
hidepid=2 means hidepid=1 plus all /proc/PID/ will be invisible to other users. It doesn't mean that it hides whether a process exists (it can be learned by other means, e.g. by kill -0 $PID), but it hides process' euid and egid. It compicates intruder's task of gathering info about running processes, whether some daemon runs with elevated privileges, whether another user runs some sensitive program, whether other users run any program at all, etc.
gid=XXX defines a group that will be able to gather all processes' info (as in hidepid=0 mode). This group should be used instead of putting nonroot user in sudoers file or something. However, untrusted users (like daemons, etc.) which are not supposed to monitor the tasks in the whole system should not be added to the group.
NOTE: This doesn't give you any ability to control visibility, only restrict users to see their details under
/proc
.
Hiding other user's info
If you want to hide other users when you're using top
you can do that like this:
$ top -u '!root'
...
top - 00:04:16 up 2 days, 1:51, 1 user, load average: 0.00, 0.01, 0.05
Tasks: 80 total, 1 running, 79 sleeping, 0 stopped, 0 zombie
%Cpu(s): 0.0 us, 0.3 sy, 0.0 ni, 99.7 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st
KiB Mem : 1016156 total, 204212 free, 80104 used, 731840 buff/cache
KiB Swap: 2097148 total, 2097148 free, 0 used. 755224 avail Mem
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
597 dbus 20 0 26668 1924 1364 S 0.0 0.2 0:08.55 dbus-daemon
633 polkitd 20 0 536264 10216 4796 S 0.0 1.0 0:00.35 polkitd
634 libstor+ 20 0 8576 816 668 S 0.0 0.1 0:00.49 lsmd
1305 postfix 20 0 91956 4292 3232 S 0.0 0.4 0:00.09 qmgr
4199 vagrant 20 0 152392 3020 1424 S 0.0 0.3 0:01.53 sshd
4200 vagrant 20 0 116196 2928 1796 S 0.0 0.3 0:00.05 bash
5622 postfix 20 0 91776 4044 3028 S 0.0 0.4 0:00.00 pickup
5672 user1 20 0 116096 2864 1808 S 0.0 0.3 0:00.04 bash
5758 user1 20 0 157624 2136 1544 R 0.0 0.2 0:00.00 top
The notation, '!root'
means to not show the root user.
1
hidepid would be a patch on the date of that link, but nowadays is part of the kernel I think. Been using it with a vanilla kernel for a couple of years in Debian now. See unix.stackexchange.com/questions/244353/⦠Beware some daemons/services or their scripts need to see other users, from the top of my head MySQL or/and BIND.
â Rui F Ribeiro
Jul 12 at 7:38
@RuiFRibeiro - agreed, it would be mainline at this point, not something that you'd have to roll yourself. I think I said that too loosely, I used the word adds instead of added - edited.
â slmâ¦
Jul 12 at 11:33
1
@RuiFRibeiro - this link even states that it's mainline - linux-audit.com/linux-system-hardening-adding-hidepid-to-proc.
â slmâ¦
Jul 12 at 11:35
add a comment |Â
up vote
2
down vote
accepted
up vote
2
down vote
accepted
Hiding your user info
So with top
its default behavior is to show all the processes on the box and you can't really deny other users from seeing these details. Methods for doing this are discussed in this U&L Q&A titled:
- How to make a process invisible to other users?
- Hiding Linux Processes For Fun And Profit
- Is it possible to 'hide' a process from the listing of
ps
ortop
on Linux
The 3rd link shows an interesting method which is a kernel patch that added an option called hidepid
to mount
in Linux kernels 3.3+:
$ mount /proc -o remount,hidepid=2
hidepid=0 (default) means the old behavior - anybody may read all world-readable /proc/PID/* files.
hidepid=1 means users may not access any /proc// directories, but their own. Sensitive files like cmdline, sched*, status are now protected against other users. As permission checking done in proc_pid_permission() and files' permissions are left untouched, programs expecting specific files' modes are not confused.
hidepid=2 means hidepid=1 plus all /proc/PID/ will be invisible to other users. It doesn't mean that it hides whether a process exists (it can be learned by other means, e.g. by kill -0 $PID), but it hides process' euid and egid. It compicates intruder's task of gathering info about running processes, whether some daemon runs with elevated privileges, whether another user runs some sensitive program, whether other users run any program at all, etc.
gid=XXX defines a group that will be able to gather all processes' info (as in hidepid=0 mode). This group should be used instead of putting nonroot user in sudoers file or something. However, untrusted users (like daemons, etc.) which are not supposed to monitor the tasks in the whole system should not be added to the group.
NOTE: This doesn't give you any ability to control visibility, only restrict users to see their details under
/proc
.
Hiding other user's info
If you want to hide other users when you're using top
you can do that like this:
$ top -u '!root'
...
top - 00:04:16 up 2 days, 1:51, 1 user, load average: 0.00, 0.01, 0.05
Tasks: 80 total, 1 running, 79 sleeping, 0 stopped, 0 zombie
%Cpu(s): 0.0 us, 0.3 sy, 0.0 ni, 99.7 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st
KiB Mem : 1016156 total, 204212 free, 80104 used, 731840 buff/cache
KiB Swap: 2097148 total, 2097148 free, 0 used. 755224 avail Mem
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
597 dbus 20 0 26668 1924 1364 S 0.0 0.2 0:08.55 dbus-daemon
633 polkitd 20 0 536264 10216 4796 S 0.0 1.0 0:00.35 polkitd
634 libstor+ 20 0 8576 816 668 S 0.0 0.1 0:00.49 lsmd
1305 postfix 20 0 91956 4292 3232 S 0.0 0.4 0:00.09 qmgr
4199 vagrant 20 0 152392 3020 1424 S 0.0 0.3 0:01.53 sshd
4200 vagrant 20 0 116196 2928 1796 S 0.0 0.3 0:00.05 bash
5622 postfix 20 0 91776 4044 3028 S 0.0 0.4 0:00.00 pickup
5672 user1 20 0 116096 2864 1808 S 0.0 0.3 0:00.04 bash
5758 user1 20 0 157624 2136 1544 R 0.0 0.2 0:00.00 top
The notation, '!root'
means to not show the root user.
Hiding your user info
So with top
its default behavior is to show all the processes on the box and you can't really deny other users from seeing these details. Methods for doing this are discussed in this U&L Q&A titled:
- How to make a process invisible to other users?
- Hiding Linux Processes For Fun And Profit
- Is it possible to 'hide' a process from the listing of
ps
ortop
on Linux
The 3rd link shows an interesting method which is a kernel patch that added an option called hidepid
to mount
in Linux kernels 3.3+:
$ mount /proc -o remount,hidepid=2
hidepid=0 (default) means the old behavior - anybody may read all world-readable /proc/PID/* files.
hidepid=1 means users may not access any /proc// directories, but their own. Sensitive files like cmdline, sched*, status are now protected against other users. As permission checking done in proc_pid_permission() and files' permissions are left untouched, programs expecting specific files' modes are not confused.
hidepid=2 means hidepid=1 plus all /proc/PID/ will be invisible to other users. It doesn't mean that it hides whether a process exists (it can be learned by other means, e.g. by kill -0 $PID), but it hides process' euid and egid. It compicates intruder's task of gathering info about running processes, whether some daemon runs with elevated privileges, whether another user runs some sensitive program, whether other users run any program at all, etc.
gid=XXX defines a group that will be able to gather all processes' info (as in hidepid=0 mode). This group should be used instead of putting nonroot user in sudoers file or something. However, untrusted users (like daemons, etc.) which are not supposed to monitor the tasks in the whole system should not be added to the group.
NOTE: This doesn't give you any ability to control visibility, only restrict users to see their details under
/proc
.
Hiding other user's info
If you want to hide other users when you're using top
you can do that like this:
$ top -u '!root'
...
top - 00:04:16 up 2 days, 1:51, 1 user, load average: 0.00, 0.01, 0.05
Tasks: 80 total, 1 running, 79 sleeping, 0 stopped, 0 zombie
%Cpu(s): 0.0 us, 0.3 sy, 0.0 ni, 99.7 id, 0.0 wa, 0.0 hi, 0.0 si, 0.0 st
KiB Mem : 1016156 total, 204212 free, 80104 used, 731840 buff/cache
KiB Swap: 2097148 total, 2097148 free, 0 used. 755224 avail Mem
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
597 dbus 20 0 26668 1924 1364 S 0.0 0.2 0:08.55 dbus-daemon
633 polkitd 20 0 536264 10216 4796 S 0.0 1.0 0:00.35 polkitd
634 libstor+ 20 0 8576 816 668 S 0.0 0.1 0:00.49 lsmd
1305 postfix 20 0 91956 4292 3232 S 0.0 0.4 0:00.09 qmgr
4199 vagrant 20 0 152392 3020 1424 S 0.0 0.3 0:01.53 sshd
4200 vagrant 20 0 116196 2928 1796 S 0.0 0.3 0:00.05 bash
5622 postfix 20 0 91776 4044 3028 S 0.0 0.4 0:00.00 pickup
5672 user1 20 0 116096 2864 1808 S 0.0 0.3 0:00.04 bash
5758 user1 20 0 157624 2136 1544 R 0.0 0.2 0:00.00 top
The notation, '!root'
means to not show the root user.
edited Jul 12 at 11:34
answered Jul 12 at 4:09
slmâ¦
233k65479651
233k65479651
1
hidepid would be a patch on the date of that link, but nowadays is part of the kernel I think. Been using it with a vanilla kernel for a couple of years in Debian now. See unix.stackexchange.com/questions/244353/⦠Beware some daemons/services or their scripts need to see other users, from the top of my head MySQL or/and BIND.
â Rui F Ribeiro
Jul 12 at 7:38
@RuiFRibeiro - agreed, it would be mainline at this point, not something that you'd have to roll yourself. I think I said that too loosely, I used the word adds instead of added - edited.
â slmâ¦
Jul 12 at 11:33
1
@RuiFRibeiro - this link even states that it's mainline - linux-audit.com/linux-system-hardening-adding-hidepid-to-proc.
â slmâ¦
Jul 12 at 11:35
add a comment |Â
1
hidepid would be a patch on the date of that link, but nowadays is part of the kernel I think. Been using it with a vanilla kernel for a couple of years in Debian now. See unix.stackexchange.com/questions/244353/⦠Beware some daemons/services or their scripts need to see other users, from the top of my head MySQL or/and BIND.
â Rui F Ribeiro
Jul 12 at 7:38
@RuiFRibeiro - agreed, it would be mainline at this point, not something that you'd have to roll yourself. I think I said that too loosely, I used the word adds instead of added - edited.
â slmâ¦
Jul 12 at 11:33
1
@RuiFRibeiro - this link even states that it's mainline - linux-audit.com/linux-system-hardening-adding-hidepid-to-proc.
â slmâ¦
Jul 12 at 11:35
1
1
hidepid would be a patch on the date of that link, but nowadays is part of the kernel I think. Been using it with a vanilla kernel for a couple of years in Debian now. See unix.stackexchange.com/questions/244353/⦠Beware some daemons/services or their scripts need to see other users, from the top of my head MySQL or/and BIND.
â Rui F Ribeiro
Jul 12 at 7:38
hidepid would be a patch on the date of that link, but nowadays is part of the kernel I think. Been using it with a vanilla kernel for a couple of years in Debian now. See unix.stackexchange.com/questions/244353/⦠Beware some daemons/services or their scripts need to see other users, from the top of my head MySQL or/and BIND.
â Rui F Ribeiro
Jul 12 at 7:38
@RuiFRibeiro - agreed, it would be mainline at this point, not something that you'd have to roll yourself. I think I said that too loosely, I used the word adds instead of added - edited.
â slmâ¦
Jul 12 at 11:33
@RuiFRibeiro - agreed, it would be mainline at this point, not something that you'd have to roll yourself. I think I said that too loosely, I used the word adds instead of added - edited.
â slmâ¦
Jul 12 at 11:33
1
1
@RuiFRibeiro - this link even states that it's mainline - linux-audit.com/linux-system-hardening-adding-hidepid-to-proc.
â slmâ¦
Jul 12 at 11:35
@RuiFRibeiro - this link even states that it's mainline - linux-audit.com/linux-system-hardening-adding-hidepid-to-proc.
â slmâ¦
Jul 12 at 11:35
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f454807%2fhow-to-deny-other-people-to-see-my-running-details-after-top-command-and-press%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password