[systemd-devel] How to prevent users form seeing other user processes with loginctl/systemctl ?

Mantas Mikulėnas grawity at gmail.com
Sun Jun 4 14:00:05 UTC 2023 

Assuming you already have "hidepid" configured for /proc, you'll still need
to block access to the corresponding systemd D-Bus call:

$ cat /etc/dbus-1/system.d/systemd-restrict.conf

<?xml version="1.0"?>
<busconfig>
        <policy user="root">
                <allow send_destination="org.freedesktop.systemd1"
                        send_interface="org.freedesktop.systemd1.Manager"
                        send_member="GetUnitProcesses"/>
        </policy>

        <policy group="proc">
                <allow send_destination="org.freedesktop.systemd1"
                        send_interface="org.freedesktop.systemd1.Manager"
                        send_member="GetUnitProcesses"/>
        </policy>

        <policy context="default">
                <deny send_destination="org.freedesktop.systemd1"
                        send_interface="org.freedesktop.systemd1.Manager"
                        send_member="GetUnitProcesses"/>
        </policy>
</busconfig>


On Sun, Jun 4, 2023, 12:50 antisimus <antisimus at gmail.com> wrote:

> Hello,
>
> Is there a way to hide process information (pids, command line) and
> prevent one user accessing other user processes information.
>
> On a shared system this can be a potential security risk and I really do
> not like idea users inspecting each other's running processes.
> Here I have user *bob *accessing user *alice *process info but same can
> be done even to inspect *root *users processes
>
> systemd 247 (247.3-7+deb11u2)
> Linux systemd-vps 5.10.0-23-amd64 #1 SMP Debian 5.10.179-1 (2023-05-12)
> x86_64 GNU/Linux
>
> bob at systemd-vps:~$ loginctl user-status alice
> alice (1002)
>            Since: Sun 2023-06-04 08:37:18 UTC; 2min 39s ago
>            State: active
>         Sessions: *7
>           Linger: no
>             Unit: user-1002.slice
>                   ├─session-7.scope
>                   │ ├─1025 sshd: alice [priv]
>                   │ ├─1046 sshd: alice at pts/1
>                   │ ├─1047 -bash
>                   │ ├─1305 bash myapp.sh
>                   │ └─1306 sleep 5
>                   └─user at 1002.service
>                     └─init.scope
>                       ├─1028 /lib/systemd/systemd --user
>                       └─1029 (sd-pam)
>
>
>
>  bob at systemd-vps:~$ loginctl user-status root
> root (0)
>            Since: Sun 2023-06-04 09:43:03 UTC; 3min 45s ago
>            State: active
>         Sessions: 5 *1
>           Linger: no
>             Unit: user-0.slice
>                   ├─session-1.scope
>                   │ ├─740 sshd: root at pts/0
>                   │ ├─765 -bash
>                   │ ├─769 su - bob
>                   │ ├─770 -bash
>                   │ ├─877 loginctl user-status root
>                   │ └─878 less
>                   ├─session-5.scope
>                   │ ├─820 sshd: root at pts/2
>                   │ ├─826 -bash
>                   │ └─872 sleep 100
>                   └─user at 0.service
>                     └─init.scope
>                       ├─747 /lib/systemd/systemd --user
>                       └─748 (sd-pam)
>
>
> Best regards,
> Ante
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20230604/7ed2fd63/attachment.htm>

More information about the systemd-devel mailing list