Process privileges

From pressy's brainbackup
Jump to: navigation, search

How to limit display of processes

Normally a solaris user sees all processes, not only his own. You can use "process privileges" to permit that.

# ppriv -l -v proc_info
proc_info
Allows a process to examine the status of processes other
than those it can send signals to. Processes which cannot
be examined cannot be seen in /proc and appear not to exist.
# vi /etc/security/policy.conf
PRIV_DEFAULT=basic,!proc_info		-> uncomment and edit
$ id -a
uid=101(foo) gid=1(other) groups=1(other)
$ ppriv $$
1915: -sh
flags =
E: basic,!proc_info
I: basic,!proc_info
P: basic,!proc_info
L: all
$ ls -l /proc
total 4
dr-x--x--x 5 foo other 832 Sep 24 22:52 1915
dr-x--x--x 5 foo other 832 Sep 24 22:56 1932

That's for every user except root. To enable it for single users, like monitoring, do:

# vi /etc/user_attr
monitor::::lock_after_retries=no;defaultpriv=basic