[systemd-devel] How to prevent users form seeing other user processes with loginctl/systemctl ?

antisimus antisimus at gmail.com
Sun Jun 4 15:33:03 UTC 2023 

This is it. It works.

Yes, I have "hidepid=2" configured proc mount, with your addition
everything works as expected.
Thank you very much Mantas.


On Sun, 4 Jun 2023 at 16:00, Mantas Mikulėnas <grawity at gmail.com> wrote:

> Assuming you already have "hidepid" configured for /proc, you'll still
> need to block access to the corresponding systemd D-Bus call:
>
> $ cat /etc/dbus-1/system.d/systemd-restrict.conf
>
> <?xml version="1.0"?>
> <busconfig>
>         <policy user="root">
>                 <allow send_destination="org.freedesktop.systemd1"
>                         send_interface="org.freedesktop.systemd1.Manager"
>                         send_member="GetUnitProcesses"/>
>         </policy>
>
>         <policy group="proc">
>                 <allow send_destination="org.freedesktop.systemd1"
>                         send_interface="org.freedesktop.systemd1.Manager"
>                         send_member="GetUnitProcesses"/>
>         </policy>
>
>         <policy context="default">
>                 <deny send_destination="org.freedesktop.systemd1"
>                         send_interface="org.freedesktop.systemd1.Manager"
>                         send_member="GetUnitProcesses"/>
>         </policy>
> </busconfig>
>
>
> On Sun, Jun 4, 2023, 12:50 antisimus <antisimus at gmail.com> wrote:
>
>> Hello,
>>
>> Is there a way to hide process information (pids, command line) and
>> prevent one user accessing other user processes information.
>>
>> On a shared system this can be a potential security risk and I really do
>> not like idea users inspecting each other's running processes.
>> Here I have user *bob *accessing user *alice *process info but same can
>> be done even to inspect *root *users processes
>>
>> systemd 247 (247.3-7+deb11u2)
>> Linux systemd-vps 5.10.0-23-amd64 #1 SMP Debian 5.10.179-1 (2023-05-12)
>> x86_64 GNU/Linux
>>
>> bob at systemd-vps:~$ loginctl user-status alice
>> alice (1002)
>>            Since: Sun 2023-06-04 08:37:18 UTC; 2min 39s ago
>>            State: active
>>         Sessions: *7
>>           Linger: no
>>             Unit: user-1002.slice
>>                   ├─session-7.scope
>>                   │ ├─1025 sshd: alice [priv]
>>                   │ ├─1046 sshd: alice at pts/1
>>                   │ ├─1047 -bash
>>                   │ ├─1305 bash myapp.sh
>>                   │ └─1306 sleep 5
>>                   └─user at 1002.service
>>                     └─init.scope
>>                       ├─1028 /lib/systemd/systemd --user
>>                       └─1029 (sd-pam)
>>
>>
>>
>>  bob at systemd-vps:~$ loginctl user-status root
>> root (0)
>>            Since: Sun 2023-06-04 09:43:03 UTC; 3min 45s ago
>>            State: active
>>         Sessions: 5 *1
>>           Linger: no
>>             Unit: user-0.slice
>>                   ├─session-1.scope
>>                   │ ├─740 sshd: root at pts/0
>>                   │ ├─765 -bash
>>                   │ ├─769 su - bob
>>                   │ ├─770 -bash
>>                   │ ├─877 loginctl user-status root
>>                   │ └─878 less
>>                   ├─session-5.scope
>>                   │ ├─820 sshd: root at pts/2
>>                   │ ├─826 -bash
>>                   │ └─872 sleep 100
>>                   └─user at 0.service
>>                     └─init.scope
>>                       ├─747 /lib/systemd/systemd --user
>>                       └─748 (sd-pam)
>>
>>
>> Best regards,
>> Ante
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/systemd-devel/attachments/20230604/1783fd5c/attachment-0001.htm>

More information about the systemd-devel mailing list